CyberWire Daily - Flynn pleads guilty in Mueller probe. Misconfigured AWS S3 buckets, again. Election trolling and spy versus oligarch. Black Friday fraud down. Crime and punishment.
Episode Date: December 1, 2017In today's podcast, we hear that former National Security Advisor Flynn pleads guilty to lying to the FBI. Another misconfigured AWS account is found. Cobalt is either careless or engaged in misdirect...ion. Election trolling and mutual suspicion between Russia and the US. Kaspersky says his company didn't, doesn't, and won't spy for the Russian government as US agencies begin to purge their systems of his security software. Black Friday fraud seems to be down this year. South Korea's investigation of domestic election meddling by its cyber command sharpens. Malek Ben Salem from Accenture Labs with thoughts on GDPR. Gary Golomb from Awake Security with thoughts on properly setting priorities. And Roman Seleznev gets another fourteen years on carding charges. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Former National Security Advisor Flynn pleads guilty to lying to the FBI.
Another misconfigured AWS account is found.
Cobalt is either careless or engaged in misdirection.
There's election trolling and mutual suspicion
between Russia and the U.S.
Kaspersky says his company didn't, doesn't,
and won't spy for the Russian government
as U.S. agencies begin to purge their systems
of his security software.
Black Friday fraud seems to be down this year.
South Korea's investigation of domestic election meddling
by its cyber command sharpens,
and Roman Seleznev gets another 14 years on carding charges.
I'm Dave Bittner with your Cyber Wire summary for Friday, December 1, 2017.
In some breaking news out of Special Counsel Robert Mueller's investigation of Russian influence operations,
former National Security Advisor Michael Flynn has entered a plea of guilty to charges of lying to the FBI.
The retired lieutenant general appeared this morning in a Washington federal court
where he acknowledged that he was cooperating with Mueller's investigation.
Flynn said he made false statements to FBI investigators
about conversations he held with the Russian ambassador to the United States,
Sergei Kislyak.
Beyond this development, the week ends as it began
with news of a misconfigured cloud account.
In what's becoming a dog bites man story,
or maybe even an evergreen one,
another unsecured Amazon Web Services S3 bucket has
been found, open online and misconfigured for public access.
This one held data belonging to the National Credit Federation, the NCF, and contained
some 111 gigabytes of data, much of it in the form of sensitive credit records.
The Tampa-based NCF is a membership-based organization whose mission is, in their own words,
to help people who are currently in or have successfully come through a financial crisis
take back control of their finances and credit, allowing them to achieve their financial dreams.
Up to 40,000 individuals may have been affected, their data exposed,
but UpGuard, which found the misconfigured bucket,
says it saw no evidence anyone had actually stolen the information the database has since been
secured the cobalt hackers criminals who targeted financial institutions with
fish baited malware may have committed a misstep bleeping computer reports some
of their spam appears to reveal their intended targets in the most obvious
place the emails to field as opposed to the customary BCC field you'd use
if you don't want all the addresses to see one another.
But there's speculation this may be misdirection,
intended to send security researchers on a wild goose chase
while Kobalt unobtrusively pursues its real targets.
As more reports emerge of the scurrilous content of Russian election trolling in the U.S.,
extending to violent fantasy, Satanism, racism, and so on,
it seems Russia also feels itself under threat.
The Kremlin thinks it sees a coordinated U.S. campaign
to turn Russia's oligarchs against their government.
This is believed in Moscow to be the real goal of U.S. sanctions
imposed after Russia's green men began their slow-motion to be the real goal of U.S. sanctions imposed
after Russia's green men began their slow-motion re-engorgement of Ukraine.
The tweets reporters found that could be attributed to the Internet Research Agency,
a St. Petersburg troll farm, were aimed at creating mistrust, cross-currents of intergroup
hatred, chaos, and an atmosphere in which U.S. institutions would be discredited in the eyes of much of the public.
Eugene Kaspersky has continued to vociferously object to charges that his company, Kaspersky Lab,
was engaged in spying on behalf of the FSB or any other Russian intelligence service.
He said this week that if he were told to do so by any of those services, he and his company would quit Moscow.
he were told to do so by any of those services, he and his company would quit Moscow.
The widely credited charge that Kaspersky has cooperated with the FSB has, he said, this much foundation in truth. The FSB in Russia is responsible for investigating cybercrime.
So in addition to its role in developing foreign intelligence, the FSB plays a law enforcement
role in Russia, similar to the role the FBI and the Secret Service have in the United States.
And Kaspersky does indeed cooperate with the authorities in the investigation of cybercrime.
The company's founder says they've been the victim of an orchestrated campaign by the U.S. government to discredit them.
That said, the U.S. government's ban on Kaspersky software continues.
U.S. government's ban on Kaspersky software continues.
Federal agencies are reported to have completed their scans for Kaspersky security software as required by the Department of Homeland Security.
About 15% of the federal agencies found the security software.
They have until the 19th of this month to remove it.
A quick look back at Black Friday weekend suggests good news.
According to Lovation, credit card fraud appears to be down 29% from 2016.
The reasons for the drop are complex but two stand out.
Brick-and-mortar retailers are benefiting from widespread adoption of chip-and-pin technology,
and online retailers have taken advantage of new techniques of device intelligence
to prevent fraud in transactions where the card is not physically present.
The four-day period that showed the drop in fraud ran from Black Friday through Cyber Monday.
A team of investigators formed by South Korea's Ministry of Defense is said to have concluded
that the Republic of Korea's Cyber Command illegitimately sought to influence 2012's domestic elections.
Lyft, Uber's rival in the ride-gig market, has been enjoying a good year,
which many attribute in part to Uber's problems with leadership, litigation,
and most recently a massive data breach.
Lyft is said by TechCrunch to have tripled its revenue this year.
For its part, Uber faces a rising tide of lawsuits.
The city of Chicago and Cook County, Illinois, have filed suit asking for fines amounting to $10,000 a day for each violation of a consumer's privacy.
Washington state has filed a consumer protection lawsuit against Uber.
The state attorney general has asked for $2,000 per violation.
These suits could easily amount to millions of dollars in penalties.
per violation. These suits could easily amount to millions of dollars in penalties.
The company also faces two class action suits filed in federal courts last week,
one in Los Angeles, the other in San Francisco.
Finally, a well-known and well-connected Russian hacker has been convicted of additional charges in a U.S. court. Roman Seleznev, son of a prominent Duma member, was nabbed in 2014 on a U.S. warrant
while attempting to return from a vacation in the Maldives. He was convicted in a Seattle
federal court of 38 counts related to carding and fraud and sentenced to 27 years. This week,
he received another 14 years, these from a federal court in Atlanta, upon conviction of one count of racketeering
and one count of conspiracy to commit bank fraud. The Russian government has long denounced
Seleznev's arrest as kidnapping. The U.S. calls it extradition. It's also a warning
to choose your vacation spots with care. Thank you. purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. And joining me once again is Malek Bensalem. She's
a senior manager of security and R&D at Accenture Labs. Malek, welcome back. We wanted to touch on
GDPR. It's coming up next year. It'll be here
before we know it. Why don't we just start off? Why don't you run down some of the numbers for us?
Yeah, thanks, Dave. Yeah, so there's been a lot of talk about GDPR. It's used for people who are
not familiar with it is a use general data protection regulation, which will come into effect on May 25th of 2018. So Gardner released a report
predicting that by the end of 2018, more than 50% of the companies will not be in full compliance
with GDPR. And that number will be 40% in 2020. Forrester predicts that 80% of companies will fail to comply in 2018. And I personally
think that we're probably closer to the Forrester number, meaning the 80%, as opposed to the 50%
predicted by Gartner. The reason is, is that many companies still don't know if they need to comply or not. A survey by WatchGuard,
which was reported on CyberWire before, predicted that 37% of global organizations are still unsure
if they need to comply. So if you're unsure, you probably need to comply.
Well, and there are some hefty fines too. So, I mean, it's in your best interest to find out.
Absolutely.
Yeah.
It is important to find out.
It's important to make that investment.
From a digital trust standpoint, right?
So, GDPR is really driven by ensuring consumers' privacy.
And if you invest in it, there is an opportunity to build that trust
with your clients. So you can turn this from a burden, right? All the requirements, you can turn
that burden into an opportunity. So let's say the burden of identifying new categories of personal
data. You can turn that into an opportunity to build more comprehensive
customer profiles. The requirement of privacy by design and minimizing data, you can turn that
into an opportunity to reduce the cost of retaining all of the data that is not necessary
for your operations. The data breach notification, which we're all familiar with, right?
You can turn that into an opportunity to build customer trust into your value proposition.
So if businesses look at this the right way, they can turn that investment that they put
into GDPR compliance into really great opportunities for growing their reputation, for building that
trust with their clients. Yeah, it seems to me like no one's going to say, gosh, it's a shame
that you've put all these extra privacy implementations in place. That's a good thing.
Absolutely. It is a good thing. All right. Malek Ben-Salem, thanks for joining us. Thank you. The default-deny approach can keep your company safe and compliant.
My guest today is Gary Golem.
He's the co-founder of Awake Security, a company that provides advanced security analytics.
We began our conversation with a discussion about prioritization and how organizations are challenged with choosing where to allocate their money, talent, and time. Prioritization to me is, it's an ongoing challenge.
I mean, like prioritization was something that, like I saw companies struggling with in the very,
very early 2000s, right? And we still have that exact same issue today. And I think a lot of conversations around it are very
similar to what they were 15 plus years ago. And so it is true that prioritization is a challenge.
However, I think a more substantial challenge that has arisen over time is regardless of how
these things are prioritized. And these things are the list of things that you
ultimately need to look at, right? It might be alerts, it might be, you know, there's a lot of
different terms we use for those things. It depends on the type of system you're sitting in front of.
They still need to be looked at, regardless of how they're prioritized, right? So you could
actually, in theory, knowing that prioritization is a challenge and is probably flawed still today, right? If you could
get through more things, if you could be more effective as you go through those things, then
it starts to compensate for how you've prioritized. And again, prioritization will, I think, implicitly
be flawed because you always have incomplete information, right?
So prioritization can become less of an issue if you can be more effective and more accurate
at how you go through those things.
And so there's actually concepts around that that I think could be kind of interesting
to look at as well.
And so take us through that.
I mean, how can you make those decisions?
One concept that, you know, we've been studying actually quite closely for a little while now is
what we could call comparability. When you look at, say, you know, around the 2010 time frame,
plus minus a couple of years, you know, that puts us at the heyday of exploit kits, right? And kind of just mass compromises of endpoints.
When you look at enterprise, like you look at a SOC during those timeframes, and you look at a
lot of the things that an average analyst was looking at, they had a lot of information available
to them that allowed them to make comparisons that ultimately allowed them to make decisions about whether
to respond appropriately to something or not.
So as a concrete example, you could get a new piece of malware that infects some endpoint
and it has a user agent string that looks kind of like a browser, but the word Windows
or Microsoft or something is misspelled, which was surprisingly common back then.
But you had a lot of additional information available to you that allowed you to make comparisons and see that, oh, this user agent is very, like, it looks wrong.
And so even if you plug that user agent into Google and you got no results back, so you didn't get positive confirmation that it's malware,
back, so you didn't get a positive confirmation that it's malware, you had the information available to you to make comparisons, to make a decision on your own in absence of some other
system or some other source telling you it was bad. And because of the way the attack surface
has changed over the past, I mean, literally, I think over the past seven years has been pretty
dramatic change. The information that analysts had available
to them to do those comparisons, to make decisions effectively, just intrinsically or implicitly with
the information they have in front of them, has gone away in a lot of cases. So you think about
like a server application and looking at some of these more recent mega breaches, right?
Each server can be very different from each other.
And in fact, the people who tend to know most about when you see a server
and it's behaving in some particular way,
and you need to decide is this odd or is it not odd,
a lot of times it's the server application developer who will know that best
or can even know that in the first place.
Unless you start working on whether it's characterizing
or bringing in information, bringing information to the analyst
that allows them to, because they can't look at that behavior from a server
and in many cases do a Google search and see if it should be acting that way or not.
That's knowledge that's going to be intrinsic to the organization itself.
So really filling those gaps for the analyst, which is, that's where the buck stops. You can
alert to things all day long, but if somebody can't make an effective decision about whether
that should be responded to or not, right, that's, you lost your chance to respond to the thing.
And so anyways, comparability actually becomes a very important aspect that
enables analysts to make decisions compared to should this be behaving this particular way,
or what is business justified, if you will, in my environment.
That's Gary Golem from Awake Security. awake security.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and
producers. I'm Dave Bittner.
Thanks for listening. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.