CyberWire Daily - Equifax decides to tell people it's been breached. Notes from the Intelligence and National Security Summit. WikiLeaks dumps missile guidance documents from Vault7. The ShadowBrokers are back, with a new offer.
Episode Date: September 8, 2017In today's podcast we hear that credit bureau Equifax had disclosed a massive data breach it discovered on July 29th. Does that mean they're about a month delinquent? WikiLeaks weekly Vault7 dump ...departs from past practice with respect to content. The ShadowBrokers are back, and offering a twice monthly twofer. Emily Wilson from Terbium Labs with her thoughts on the encryption debate. Alexander Klimburg, author of The Darkening Web. And Intelligence Community leaders agree on at least three things: they need a better security clearance process, they need Section 702, and nowadays all intelligence involves cyber intelligence. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. To learn about combining threat intelligence, analytics, and orchestration, check out ThreatConnect’s webinar. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Equifax discloses a massive data breach it discovered on July 29th.
Does that mean they're about a month delinquent?
Wikileaks' weekly Vault 7 dump departs
from past practice with respect to content. The shadow brokers are back and offering a twice
monthly twofer. And intelligence community leaders agree on at least three things. They need a better
security clearance process. They need Section 702. And nowadays, all intelligence involves cyber intelligence. I'm Dave Bittner in Baltimore with your CyberWire
summary for Friday, September 8, 2017. The big story in cybersecurity is yesterday's
disclosure by Equifax, one of the big three U.S. credit bureaus that it had sustained a data breach. And this breach is a big one.
It affects 143 million individuals, mostly Americans,
although data belonging to smaller numbers of citizens of some other countries,
notably Canada and the United Kingdom, were also hit.
It's known that the data was lost.
Equifax disclosed that it had detected unauthorized access.
So this isn't simply a case of, say, potential exposure of data inadvertently left out there on the web.
Someone came in and took it.
Among the information lost are names, social security account numbers, dates of birth, and addresses.
Large subsets of the affected individuals also lost credit card numbers, dispute documents, and driver's license numbers.
You'd say that seems like about everything, but Equifax would differ.
The company says in its statement that its core credit record databases were uncompromised.
Those are records of things like late payments, bad debts, and so on.
Most observers have found that cold comfort at best.
The data lost are more than sufficient to commit all manner
of fraud and identity theft. How the breach occurred remains publicly unknown, and Equifax
has been closed-mouthed about the details. But there's considerable speculation online that the
hackers exploited a patchable but unpatched flaw in Equifax's website. The company says it noticed
the breach on July 29th, and that it's called in a security
company to help with remediation. They're also offering their identity protection and credit
monitoring services free to affected individuals. Why affected individuals would sign up for such
monitoring is unclear. Many journalists and security experts have looked into the proffered
service and found it dodgy, hard to use, generally insecure,
and probably an opportunity to be hit up for a paid renewal when the free offer expires.
The company's response has struck most as tone-deaf.
In most large-scale cyber incidents, there are varying degrees of sympathy for the victim
and an acknowledgment of the victim's difficulties.
Equifax is, as far as we can tell, getting none of this.
The Twitter storm over the incident is massive and utterly unsympathetic. A great deal of this
is schadenfreude from those who have found themselves at some point in their lives caught
up in the iron web of credit evaluation. A lot of it comes from security people who are aghast at
the apparent degree of carelessness with personal data, And no one appears to think that a 49-day delay between discovery and disclosure is acceptable.
It may be difficult for the credit rating industry as a whole to continue in its present form.
Equifax stock is down about 13% today, but there are a few things to point out.
First, it's not necessarily the company's customers who are being hurt.
It's the consumers those customers are paying Equifax to rate.
Second, three senior Equifax executives
sold significant blocks of their shares in the company
between July 29th and yesterday.
The company has said none of the three,
they included the CFO,
knew about the breach when they sold
and that, anyway, they didn't sell all the shares they owned.
There will be as many, if not more, lessons to be learned from this episode
as a case study and incident response, as there will from the forensic post-mortem itself.
Further exploitation may already be in progress.
We've seen creditable but unconfirmed reports that an extortion threat
has been made online to Equifax. The annual Intelligence and National Security Summit,
sponsored jointly by INSA and AFCEA, concluded yesterday in Washington, D.C.
You'll find our continuing coverage of the summit on our website, thecyberwire.com.
But here, we'll mention three themes that came across very clearly to us at the conference.
First, the U.S. intelligence community and its stakeholders find themselves in general
agreement that a new approach to talent management is necessary, that what Marine Corps Major
General Groen of the Joint Staff's J-2 called an industrial age approach to the workforce
is no longer adequate
to current realities, and it's likely to grow even less adequate over time. People with essential
expertise, both linguists and cybersecurity professionals were repeatedly singled out for
mention, need to have career paths designed that will challenge, develop, and retain them.
And there was a close to complete and universal agreement, as we've ever seen,
that one aspect of the legacy approach to talent management,
the security clearance process, is irretrievably broken.
How it could be fixed remains unclear, but fixed it must be,
senior intelligence community leaders agreed.
They advocated in a general way two lines of reform that might be
pursued, moving away from the current practice of regular re-examinations in favor of some form of
continuous evaluation, and moving toward a serious risk management approach to personnel security.
Second, the U.S. intelligence executives who spoke were unanimous in their support of Section 702
reauthorization.
This section of the Foreign Intelligence Surveillance Act authorizes the intelligence community to target the communications of non-U.S. persons located outside the United States for foreign intelligence purposes.
They thought that without Section 702 authority, their ability to accomplish their mission would,
given current global communication realities, essentially vanish. All were at pains to stress the multiple layers of
oversight designed to shield U.S. citizens' privacy from 702 surveillance. Representative Schiff and
Senator Warner, ranking members respectively of the House and Senate Intelligence Committees,
both said in their remarks that they thought congressional reauthorization of Section 702 was likely. And the third point was obvious on reflection,
although it could easily have been lost by the routine way in which it was treated.
All intelligence is now effectively cyberintelligence. None of the traditional
intelligence disciplines, not even IMMINT, imagery intelligence, mostly photos taken from aircraft or satellites,
or HUMANT, human intelligence, the traditional spycraft of recruiting and running agents,
among other practices, are conducted entirely outside of cyberspace any longer.
As usual, WikiLeaks offered another dump from Vault 7 yesterday.
It involved no cyber tools, but rather a missile control system.
Two things are worth remarking on the dump.
First, the classification level of the leaks appears to be dropping.
No juicy, highly compartmented stuff here.
And second, WikiLeaks had adopted a kind of Tribune of the People stance with its earlier dumps.
See how we take your side against the overweening surveillance of the deep state, and so on.
But that fig leaf seems to have dropped, at least this time.
A combat system is tough to cover with a fig leaf of civil libertarian concern.
And the shadow brokers are back, too.
Have you missed them as much as we have?
This time, it's with an announcement.
They now plan to move from one exploit dump per month
to two of them. The two-for
offer gamely maintains the broker's
pose of selling stuff to make some
coin at the equation group's expense.
They're in it for the money, don't you see?
As they say,
if you be paying, the shadow brokers
be playing.
Don't be playing, kids.
Or paying, either.
Just say no.
Calling all
sellers. Salesforce is hiring
account executives to join us on
the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Emily Wilson.
She's the director of analysis at Terbium Labs.
Emily, we've seen some stories lately coming out of the UK
where after some terrorist attacks,
some of the politicians there have been saying
perhaps we need to dial back encryption.
And this has led to people saying,
no, that'll just drive people underground onto the dark web.
Yeah, I think there are two interesting points on that.
One of them is that it comes around time and again every time something pops up.
You know, a terrorist attack, for example, where technology of some kind was involved, which is basically anything at this point.
People were communicating about their plans.
It's really easy for people to say,
oh, well, we should end encryption.
In the same way people pop up and say,
oh, you know, we should have locked doors,
but only for law enforcement.
It is overly simplistic in a way that
I struggle to articulate clearly
because I get so frustrated.
It is entirely unreasonable to say that
we need to end encryption
because that would solve our problems.
Sure.
Okay.
Great.
I think some people are making the case to not end it, but maybe just weaken it.
Is there a difference?
Is that a distinction without a difference?
I think it's a distinction without a difference.
I think you say we'll weaken it.
I think you say we will only use it for these purposes.
You say everything is going to be above board and that's fine.
And I think that is an unrealistic situation.
And I think,
I think anyone who believes that could work probably hasn't thought it
through all the way.
If you make it easier for some people to be able to access encrypted
messaging,
then you are just giving everyone else a good foothold to push through
further.
Do you think there's anything to this notion that people it'll drive people to the dark web?
I wouldn't be surprised.
I think people are always going to be looking for a way to communicate or interact securely or privately.
And I think, you know, there's a whole separate discussion about the difference between security and privacy.
the difference between security and privacy. But the more time that passes, the more people have an expectation of being able to conduct their business without being interfered with, perfectly
legitimate business, whether this is messaging or browsing or what have you. And I think people are
going to start looking for what previously were thought to be more extreme measures. And I don't
think the dark web has to be an extreme thing.
You know, if you use Tor browser, it doesn't make you a criminal.
It doesn't mean you're doing anything wrong.
It just means you want to be able to browse anonymously.
I think people are going to increasingly find that appealing.
Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant. My guest today is Alexander Klimberg.
He's the author of the book, The Darkening Web, The War for Cyberspace.
Mr. Klimberg is a program director at the Hague Center for Strategic Studies,
a non-resident senior fellow at the Atlantic Council,
and an associate and former fellow at the Belfer Center of the Harvard Kennedy School.
In our conversation, I asked him about the notion of a cyber Pearl Harbor or a cyber
9-11.
Those terms have become totem poles for those who subscribe all catastrophe scenarios to only those who have a vested interest in gaining something from them financially.
In other words, everyone who talks about Cyber 9-11, Cyberpool Harbor, is selling a cyber product.
Unfortunately, of course, a lot of that is true.
A lot of people have been getting a lot of money from selling products
and have been getting a lot from what we call in then just you know we call it infosec world fear uncertainty doubt at the same time it doesn't mean that their scare stories aren't true
as well and this has been the problem for me i think that us as we as a community so the hacks
community infosec community which i am part of i think does not address sufficiently is a certain
amount of honesty when we talk about what really can go wrong.
In the closed groups that I'm part of, we all know that it's completely possible.
But a lot of people who are part of these working groups won't say so publicly because they don't want to be accused of fear mongering.
And I find that's really a problem. The problem is that a lot of people who work in InfoSec and especially who are engineers don't feel that it's their job to communicate certain fundamental truths to the wider public, such as there is no such thing as complete security.
Everybody who works in InfoSec knows that. And sometimes they find that it's not're not going to communicate the wider truth with, well, yes, of course it's possible to take down the entire United States and plunge us either back into the 1920s or the Iron Age, depending on exactly how gloomy your scenario is.
It's absolutely possible.
Sometimes they is a wide approximation, but it's been a common point of departure that many infosec professionals would prefer not to talk about these fear scenarios because they thought that it always would only advance the interests of those who have a security product to sell or an organization to build or something similar.
So that's the first part. The first part is that, yes, I do think a lot of these things are a lot more possible than have been uh described by by other technologists in
public um i think it is absolutely possible for advanced cyber power to inflict debilitating
damage on the united states absolutely and i also think that it's much more likely to occur
than nuclear war but it still means it's very unlikely to occur, right? Someone has to keep these things in context. When I talk about a full-out cyber get-on, all-out cyber war, I think it's quite unlikely.
But these repercussions are still pretty dramatic, and I think it's important technically that we are aware of what the repercussions could be.
The second point when you raise the capability issue, I think sometimes people get this wrong as well, is that there's a nice idea out that
we've been floating since the 1990s that the individual can take down a state. It's not really
true. It was more true beforehand, and now it's really hardly true anymore, simply because we
used one way to see it is an individual can perhaps disrupt the power supply in a localized area,
and maybe a couple of individuals or a terrorist network might even manage to shut down the power grid, let's say, in one of the three U.S. power distribution grid territories, right?
But only for a little bit, and it wouldn't be for – probably only for a little bit and probably only in a reversible way.
So it wouldn't be permanent damage but what a fully funded tier six capability
actor russia china the uk israel what those actors could do is a whole different level of damage
and that i think a non-state actor group would have would have to be very focused to accomplish
that level of intelligence and skills and penetration to be able to cause a level of damage
so when
we talk about the fact that yes a lot of different countries and actors can play in this space
it's important to say that many people can play in this space yes um some of these can also be
non-state actors and some of these can be in even individuals but where we used to be 20 years ago
30 years ago and thinking that one person can really shut down a country, I don't think that's the case if it ever was.
I also think that we can basically say that the top-rated cyber powers are mostly states.
So I think it's fundamentally just important to keep in mind is that there are top-level security cyber actors out there, and they will use less empowered actors,
cybercrime in particular, to accomplish their mission. But there's a big difference between
like what the US can do, what Russia can do, what China can do. And by the way, it's in that order.
You make the point in the book that those of us who are in the cybersecurity business
need to do a better job making our case to the general public.
Number one is that we need to work on our messaging better. We need to do a better job making our case to the general public? Number one is that we need to work on our messaging better.
We need to effectively explain how big the threat is.
And the threat is not only of the lights going out, that there will be a massive cyber war
of some sort that will destroy critical infrastructure, although that thing is possible and we need
to make sure that people understand that it's possible so that we can avoid it by accident occurring between states.
It's also important that we understand that there's a scenario where the lights never
go out, that we enter this panopticon type situation of total controlled information
domain, that the internet that we know today will be fundamentally weakened by the influence
of states by trying to control the internet, which is consistent,
ongoing, has been going on since the 90s and only increasing in scope. And if states, all states,
manage to get a controlling interest of how the internet is conceived, then we've surrendered
effectively the entire information domain to the control of governments. There's no room for free
speech in a world like that. And in that case also,
I don't see how democracy could even survive. So for everyone who has a professional interest in
cyberspace, they really have to be a bit more aware of the larger picture is of what we work
on today and how this information domain really plays an important role in our day-to-day lives,
not only in how we earn our livelihoods, but also how our children will actually live. That's Alexander Klimberg. The book is The Darkening Web, The War for Cyberspace.
and that's the cyber wire we are proudly produced in maryland by our talented team of editors and producers i'm dave bittner thanks for listening Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.