CyberWire Daily - Everything Equifax, with some notes on German election vulnerabilities and an update on the Crackas With Attitude.
Episode Date: September 11, 2017Today's podcast features all things Equifax, as the credit bureau deals with its breach (and the lawyers and Wall Street wind up to deal with the credit bureau). The Chaos Computer Club says it's fou...nd major flaws in German election software. Moscow seems to have done a lot of catphishing in social media during the last US campaign season. Best Buy boots Kaspersky security products from its big box stores. Dale Drew from Level 3 Communications with some sobering statistics on attack trends. And a Cracka with Attitude gets five years in Club Fed. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. If you’d like to protect your endpoints against advanced threats, check out Cylance. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
All things Equifax as the credit bureau deals with its breach
and the lawyers and Wall Street wind up to deal with the credit bureau.
The Chaos Computer
Club says it's found major flaws in German election software. Moscow seems to have done a lot of
catfishing in social media during the last U.S. campaign season. Best Buy boots Kaspersky
security products from its big box stores. And a cracker with attitude gets five years in Club Fed.
gets five years in Club Fed.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, September 11, 2017.
We begin today with some updates on last week's Equifax debacle.
By general consensus, the most serious data breach to come along in years.
In terms of numbers affected, it's smaller by an order of magnitude than the Yahoo breaches of 2016, but those affected mostly Yahoo user credentials.
The Equifax breach, which at 143 million individuals hit is big enough, includes a
great deal of sensitive personal information. Names, social security account numbers,
dates of birth, and addresses.
Large subsets of those individuals also had their credit cards exposed—some 209,000 card numbers were lost—and other personal information like driver's license numbers
and records of credit disputes was taken from 182,000 people.
Once you take out children and those who don't participate in the labor market, the 143 million total, a little less than half the U.S. population, is enough to cover the vast
majority of adults who would be in a position to seek credit. So anyone who has a credit card,
a home loan, in many cases even a bank account, can consider themselves at risk.
Much of the coverage of the breach is misleading in that it says Equifax
customers were the victims of data theft, but the individuals whose information was stolen were for
the most part not customers of Equifax, but rather people whose credit Equifax was rating
for the institutions that are its actual customers, banks, credit managers, and so forth.
The consensus advice experts are giving to those affected,
which would probably include you if you're listening to this,
is to put a freeze on their credit.
The U.S. Federal Trade Commission has some advice available on how to do this,
which you'll find at consumer.ftc.gov.
Go to the FTC's blog on the site and select the entry called
The Equifax Data Breach, What to Do.
Equifax incident response, particularly its public communications, have been widely exoriated.
Krebs on Security calls it a dumpster fire, and that's the general assessment. The 41 days between
discovery and disclosure strikes most as far too long. To be sure, it takes time to evaluate a
security incident,
and no one would want to send out disclosures and alerts
on the basis of every wayward false positive.
But it's difficult to see 41 days as falling within any reasonable standard
of timely notification.
Here are two benchmarks in U.S. state law and regulation that may provide context.
Georgia's breach notification law reads as follows.
Any person or business that maintains computerized data on behalf of an information broker or
data collector that includes personal information of individuals that the person or business
does not own shall notify the information broker or data collector of any breach of
the security of the system within 24 hours following discovery,
if the personal information was or is reasonably believed to have been acquired by an unauthorized
person. And New York State's Department of Financial Services, in its regulations that
began to come into effect at the end of last month, gives covered entities no more than 72
hours to report once they've determined that a cybersecurity
event has occurred. Security experts are already reporting a spike in online fraud of the kind
normally associated with such breaches. One bit of dark web criminal activity that popped up within
hours of Equifax's disclosure has, however, begun to appear bogus. A ransom message appeared from some person or persons claiming to be the Equifax hacker.
They said,
We need to monetize this information as soon as possible,
and demanded 600 Bitcoin from Equifax, roughly $2.5 million, by September 15th.
If the credit bureau failed to pay, the authors of the ransom note said
they'd post the stolen data, minus the credit card numbers, online.
But these people, whose accounts have been suspended by their hosts, appear to be opportunistic grifters and not the real hackers after all.
Investigation continues.
Speculation about how the hackers got in centers on an Apache Struts vulnerability,
although which vulnerability and
how it may have been exploited remains unclear. Equifax's stock price continues to drop. It fell
more than 13 percent Friday. This afternoon, it's down by about 10 percent. The share prices of its
two principal competitors, Experian and TransUnion, took an initial tumble Friday, but appear to be recovering today.
States Attorneys General, including New York's, are opening investigations, as are the U.S. Congress and any number of regulatory bodies.
The plaintiff's bar is also predictably queuing up legal action against Equifax.
Hackeread reports the suits add up to billions, as one would expect.
Hack read reports the suits add up to billions, as one would expect.
Even though such large awards of damages are unlikely,
Equifax faces some tough legal sledding over the incident.
The Chaos Computer Club, a white hat outfit operating from Germany,
reports finding vulnerabilities in voting software used in several German lender.
The Federal Republic's 16 constituent states will hold elections on September 24th. Berlin has been preparing for Russian interference for a year.
Facebook's discovery that it had been selling ads to Russian catfish prompts a look by the
New York Times and others at one prominent influence operation operations tactic, the creation of fictitious persona in social media.
These were evidently used to cast doubt on the integrity of U.S. political institutions
during the last election cycle.
Disruption and mistrust were apparently more important than any particular balloting outcome.
Kaspersky Lab remains in bad official U.S. odor.
It's also taken a hit in the consumer marketplace,
as Best Buy announces it will no longer carry the Russian security company's products.
And finally, remember the crackas with attitude who doxed various U.S. government officials back in 2015?
The second cracka to cop a guilty plea has been sentenced.
Justin G. Liverman, age 25, who used the nom-to-hack default,
has received five years in the big house on a federal hacking beef.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. is a passionate artist who puts her career on hold to stay home with her young son. But her
maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dale Drew.
He's the Chief Security Officer at Level 3 Communications.
Dale, welcome back.
You know, you all have a really unique view of the Internet.
There's a lot of things that you all can see that many organizations cannot. And you wanted to share some pretty sobering statistics with us today.
Yeah, sobering is a very good word for it. We have this threat intelligence infrastructure that we use to monitor for traffic on our network, and we categorize attacks that we see. And so,
and what we've seen is a pretty sharp and sustained increase in attacks going through the public internet.
And so two things which were pretty surprising.
The one is we, on a rolling average 30-day basis, we see about 750,000 automated attacks a day hitting the honeypot network.
These are machines that are set up.
We have them.
Other companies have them.
We sort of monitor the honeypot networks.
Against victims, we see 15,000 malware sessions a second hitting victims.
And so the amount of malware traffic on the global backbone is just staggering.
We see 50,000 phishing emails a second.
a second. So these are emails going to potential victims to have them click on it so that they can get their computer compromised to have malware delivered and then gets access to the enterprise.
And we see about 8,000 scanning attempts per second. These are bad guys automatically scanning
the network looking for particular exposures that they then can compromise to deliver things like
malware. So attacks are definitely here to stay and they're definitely
growing. There was a study or a survey produced by Encapsula here not too recently that said about
that 52% of all web traffic is botnet traffic. And of that web traffic, about 23% of it was helpful botnet traffic, like search engine traffic and feed fetching traffic.
And about 29% of it was harmful botnet traffic, automated systems that are scanning,
looking for victims, compromising them, adding them to botnets. And so just on web traffic alone,
more than 50% of all web traffic was surveyed to be botnet traffic.
So looking at these numbers, what's a person to do? What are your recommendations?
Well, my recommendation is bad guys are here to stay. Bad guys have automated their infrastructure,
so they don't have to have fingers on the keyboard at all times to be able to find your weaknesses, exploit those weaknesses, and gain access to your infrastructure.
So at level three, our public infrastructure gets scanned six times a second.
We audit our infrastructure every day.
So I'm auditing my systems every 24 hours, but the bad guys are looking for weaknesses every six seconds.
But the bad guys are looking for weaknesses every six seconds.
And so the moment that we have a weakness in our infrastructure, an operator makes a small configuration change or forgets to deploy a patch in time, I'll find it in 24 hours.
The bad guys will find it within six seconds. our diligence to make sure that if you have infrastructure connected to the public internet
and it's accessible, to make sure that you have the right practices in place to monitor,
not only for compliance of security policy and patches, but also, more importantly, to monitor
for potential breaches and compromises. All right. Sobering indeed, but as always,
good information. Dale Drew. Sobering indeed. But always, as always, good information.
Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.