CyberWire Daily - Executive Order mandates election interference sanctions. British Airways regulatory exposure. Patch Tuesday notes. EU passes copyright law. Russia says no to Novichok. WhatsApp scam.
Episode Date: September 12, 2018In our podcast we hear that a US Executive Order issued today will impose sanctions on foreign actors following a determination that there's been an attempt at election meddling. The Executive Order c...overs both hacking and propaganda. British Airways may receive a heavy fine under GDPR for its recent breach. The EU passes controversial copyright legislation. Russia says the accused Novichok hitmen didn't do nothin'. And watch out for Olivia on WhatsApp—she's not what she at first seems to be. Jonathan Katz from the University of Maryland, with a cryptocurrency bug story from the MIT media lab. Guest is Robert Block from SecureAuth + CoreSecurity, with best practices for securing Office 365. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_12.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A U.S. executive order issued today will impose sanctions on foreign actors
following a determination that there's been an attempt at election meddling.
The executive order covers both hacking and propaganda.
British Airways may receive a heavy fine under GDPR for its recent breach.
The EU passes controversial copyright legislation.
Russia says the accused Novichok hitman didn't do nothing.
And watch out for Olivia on WhatsApp.
She's not what she at first seems to be.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 12, 2018.
Ars Technica has just reported that U.S. President Donald Trump today signed an executive order that would automatically impose sanctions on any foreign entity found to be interfering in U.S. elections. has not yet been released, but Director of National Intelligence Dan Coats and National Security Advisor John Bolton gave reporters an outline of the order
in a conference call earlier today.
The executive order declares a national emergency
and requires the Director of National Intelligence to regularly assess activities
directed at influencing or otherwise disrupting U.S. elections
and to report findings to the Departments of Justice and Homeland Security.
Those departments would determine within 45 days whether the interference had occurred.
If the conclusion is that someone did interfere,
then the Departments of State and Treasury would automatically impose a range of appropriate sanctions.
Such sanctions could include, the executive order specifies,
blocking of assets, blocking transfer of property,
stopping U.S. investment in sanctioned companies,
and restriction of travel.
National Security Advisor Bolton said that the order covered
not only attacks on election infrastructure,
which would presumably include voting machine hacks,
data manipulation, and so forth, but also distribution of propaganda intended to have
an effect on an election. DNI Coates said, quote, we've learned our lessons. Our focus is, going
forward, that we have the integrity of the election in place, and we have the measures in place to
deter and retaliate if necessary, end quote.
A determination of foreign influence could come at any point in an election cycle.
One interesting point, stressed by Bolton, is that the first public notice of a finding of
interference would usually be the impositions of sanctions themselves. The U.S. doesn't,
Bolton explained, wish to risk exposing the intelligence sources
and methods used to investigate such matters. The executive order comes as Congress is considering
legislation to accomplish some of the same goals. The DETER Act, co-sponsored by Senators Van
Hollen, a Democrat of Maryland, and Rubio, Republican of Florida, would impose economic sanctions against Russian companies
and require the executive branch to identify other countries involved in election interference
within a deadline of 90 days to propose sanctions.
A similar bill is under consideration in the House of Representatives.
The British Airways data breach remains under investigation.
The general consensus is that RiskIQ got it more or less right
In attributing the intrusion to the Magecart gang
The incident is expected to result in precedent-setting GDPR enforcement action
Bloomberg reports that authorities are considering a fine
And online magazine Payments suggests the fine could be a lulu
As much as £500 million
sterling. This is especially likely if enforcers conclude this is the time to draw a compliance
line. In yesterday's Patch Tuesday, Microsoft addressed 61 vulnerabilities, at least three of
which are under active exploitation in the wild. Security firm Ivanti emailed us to point out, among other things,
that one of the fixes from Redmond addresses CVE-2018-8440,
the privilege escalation vulnerability in Windows Advanced Local Procedure call
that the depressed and frustrated researcher SandboxEscaper dumped on Twitter recently.
Ivanti suggests you not delay in applying this patch.
It's out, about, and being actively exploited.
Adobe also patched, issuing a new version of its Flash Player,
and SAP has fixed 14 bugs in its products as well.
Microsoft Office 365 is among the most widely used cloud services in the world,
which of course makes it a prime target for attack.
That makes securing Office 365 a priority for many organizations, but it can be complicated.
Robert Block is Senior Vice President of Product Strategy at SecureAuth,
a company focused on preventing the misuse of credentials.
It depends on the license level and the strategic value that organizations have placed on Microsoft.
If I looked at our prospect and customer base, it's probably in thirds.
A third of them own the very basics of Microsoft.
They still want to use O365.
A third of them use the mid-tier, which provides them real rich business functionality and basic security.
And a third of them live in the E5, E5, that's Microsoft licensing terms, the largest license you could have, where you have the enterprise of business and enterprise of security.
They treat Microsoft very strategically.
So we still see our demographic as third, third, third.
And so what are the challenges to each of those groups?
I mean, I suppose one thing must be perception.
People feel like they have Office 365,
but as you lay out here, that might not mean the same thing.
Oh, it absolutely does not.
But as you lay out here, that might not mean the same thing.
Oh, it absolutely does not.
In fact, Microsoft O365 by itself as a business optimization platform,
while fantastic in certain rights, comes with little security on its own.
So the first thing you have to do as a customer is break down what do you own, what do you want to own, And what is best practice or what fits your needs to own?
The minimal adopters, they are still trying to figure out, okay, so yes, I'm going to use
O365 for email and I'm going to use it maybe for SharePoint or other online services,
but I did not buy any security. So how do I yet now secure? Do I up-level and license with Microsoft, or do I seek best-of-breed third-party
integrations? The mid-tier is saying, hey, I bought some feature-rich business optimization,
and I bought some foundational security, but is that enough? It's likely not. So now what do I do?
Do I up-level again, or do I seek out third-party, best-of-breed, best-practice-based
security scenarios? And the third is saying, hey, I've bought it all, but I had no idea I bought
nine products just for security, and they intermingle each other in certain ways that
is not great for my user experience. Now what should I do? Should I still seek third-party,
or should I just live with what I have and deal with it on the pro-serve side and administratively?
Now what about the folks at that entry level?
It seems to me almost upside down in a way that the people with the least amount of sophistication, I would suppose, are also the ones with the least amount of protection.
100%.
And I think that's an industry systemic issue, right? I won't
necessarily fall to Microsoft for that. I think our SMB to low mid-level space does have the
least sophistication of resources, to your point. At the same time, they have the same issues.
They're an attack surface. Their credentials are at risk. They still store PII. They still
have sensitive information. They still have to produce a service that's consumed by someone just at a smaller scale.
So take us through, I mean, what is your advice for someone who's approaching this and trying to decide?
They know that they want to use Office 365. There's some real benefits for them there.
How should they approach it? How do they know how to begin?
So I'm going to say something that might put people off. Stop listening to Microsoft.
Listen to yourself. What does your business need? And write that down. Then go back again.
What would make your business excel or accelerate? And write that down. And pay no mind to what you
get in a license level, or pay no mind to what you get in a license level,
or pay no mind to what you get from a third party,
or pay no mind to what you get for an up-level subscription by Microsoft,
and just look at you.
What makes your business run and thrive?
Once you've documented those business and security requirements,
now backfill who can fill those needs the best.
That's Robert Block from SecureAuth.
who can fill those needs the best.
That's Robert Block from SecureAuth.
The European Union passed its long-debated and widely feared copyright law,
which incorporates what's been called a link tax.
There are some exemptions for smaller organizations and not-for-profits,
but in general the law is very good news for rent-seeking big media companies and moderately bad news for everyone else.
Where the law is widely seen is opening up considerable possibilities for censorship.
At a minimum, the measure seems likely to force YouTube-like content moderation on much of the Internet.
Russia's President Putin says they now know who the two men are the British fingered for the Salisbury nerve agent attacks.
He says they're just regular Joes, civilians, and neither criminals nor GRU. now know who the two men are, the British fingered for the Salisbury nerve agent attacks.
He says they're just regular Joes, civilians, and neither criminals nor GRU hoods.
Presumably they got their Novichak, which in the Russian view they of course didn't actually have,
off their spice rack in the kitchen. I know that's where I keep mine, and it's probably where you keep yours too. Mr. Putin says he hopes the two will soon tell their story.
There's a European arrest warrant out for both Petrov and Bosirov, the two alleged goons,
but no one expects them to present themselves to British authorities soon or indeed ever.
According to the BBC, Mr. Putin said, quote,
We know who they are. We have found them.
I hope they will turn up themselves and tell everything.
This would be best for everyone.
There is nothing special there, nothing criminal, I assure you.
We'll see in the near future."
Russian state television reacted with all the full-throated approval
one would expect from Russian state television,
calling Mr. Putin's remarks simply sensational.
Channel One speculated that British Prime Minister Theresa May
would resign on the news that Petrov and Bosherov are just regular guys,
or else that she'd double down on lies and propaganda.
The case is an interesting study in Russian information operations.
Lots of confusing cross-currents of misdirection,
most recently concerning timestamps on surveillance footage of Petrov and Bushirov,
flat denials of involvement accompanied by sententious good citizen offers of cooperation in the investigation,
charges of foreign hostility to Russia,
and allegations that whatever happened was a provocation.
It's a familiar playbook, and it will be seen again.
And finally, in a particularly nasty scam being reported by WhatsApp users in the UK,
children are being targeted by someone or some people calling himself, herself, or themselves
Olivia, and inviting the recipients to click a link.
The link goes to nasty adult content.
The motivation appears to be art for art's sake,
simple disinterested nastiness,
and sadly there's more than enough of that gurgling around in cyberspace.
There may be some attempt to disarm children in the choice of the name Olivia,
which is the name of the piglet heroine of a popular series of children's books.
Sorry to give you something else to think about, parents,
but keep an eye out for Olivia on WhatsApp.
She's not what your children might take her to be.
If you see such a message, WhatsApp says you should block the sender,
disregard and delete the message, and under no circumstances forward it.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose and showing the world what AI was meant to be.
Let's create the agent first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
You sent along an interesting write-up here from a gentleman from the MIT Media Lab,
and this has to do with both responsible disclosure when it comes to cryptocurrency,
but also a pretty serious bug that he found. Bring us up to date here. What's going on?
This was actually a pretty interesting story, like you said, and also kind of a scary one,
because what it showed is that even a very simple flaw in
one of these cryptocurrency algorithms could have pretty devastating effects.
What happened in this case is that the person at the MIT Media Lab found a relatively small
but important bug in Bitcoin Cash.
And like I said, it was a bug that was very small and people hadn't noticed up to that point.
But it could have had a devastating consequence because it would have had the effect of having some people in the network validate certain transactions while other people in the network did not validate them.
And of course, for a blockchain, this is really problematic because that leads to a fork in the underlying blockchain where half the network has one view of the system
and the other half has a completely different view of the system.
And that's not supposed to happen.
Yeah, so potentially a catastrophic bug.
But then he also had some second thoughts about reporting it.
Yeah, he was actually a little worried
because he realized that somebody could take advantage of this bug
to actually spend more
money within the system than what they actually had. They could effectively do a double spend
attack. And he was worried that by publicly reporting the bug, if somebody then went ahead
and actually exploited the bug and carried out the attack, then either he would be suspected as
being the one carrying out the attack, or he would be blamed for disclosing the bug and then
allowing people to take advantage of it.
So he went through a number of steps, actually, to report the bug, but in an anonymous fashion
so that he wouldn't be blamed afterward in case anything went wrong.
Yeah, he was actually concerned for his safety, which is something I hadn't really considered,
but I think it's probably good thinking.
Well, you know, with these cryptocurrencies, there's real money ultimately on the line.
And so these bugs can really have significant financial consequences.
And so how does it end? Is it all as well that ends well?
Well, you know, yes and no, right? So of course, he reported the bug and the bug was promptly fixed.
But what's worrisome here is the fact that even though all this code is open source and anybody
can go ahead and look at it, and even though you have really talented programmers working on this code bugs
still creep in and it just shows how careful uh we all have to be about this about the software
that we're using especially in the context of these cryptocurrencies which are contributed to
by lots of people around the world you know potentially in a more haphazard manner than
code that's put out by a
company. Yeah. So even though it's open source, I guess that has its good and its bad.
Yeah, there's sort of a running debate about whether open source software is inherently more
or less secure. And in principle, it should be more secure because you have, quote unquote,
the eyes of the world looking at it. And so if any bug is introduced, anybody should be able to find
it. The flip side of that is that very few people actually have of the world looking at it. And so if any bug is introduced, anybody should be able to find it.
The flip side of that is that very few people actually have any incentive to look at it.
So it's not like you're being paid to look at the code as part of your job, for example.
And so maybe this is just a case in point that you really do need dedicated people whose job it is to look over code,
and you can't just rely on volunteer effort to generate secure code.
Yeah. All right. Well, it's an interesting story for sure.
As always, Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.