CyberWire Daily - German election update: nichts neues. Equifax breach. Viacom dodges a bad bucket. Like Sandworm, but from Tehran. Less than fully successful criminals.
Episode Date: September 20, 2017In today's podcast we learn that so far Russian influence seems not to be operating in Germany's election. Iran's APT33 turns from spying to sabotage. Equifax woes continue, but don't appear to incl...ude cover-up of an earlier breach. UpGuard helps Viacom dodge a cyber bullet. You may be party to a contract you didn’t know about. Criminal boneheads again more common than criminal geniuses. Ben Yelin from UMD CHHS with a story of the FBI raiding the wrong home based on WiFi router information. Guest is Eddie Habibi from PAS, debunking some ICS myths. And don't be a gazelle. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Recorded Future's user conference RFUN 2017 comes to Washington, D.C. , October 4th and 5th, 2017, bringing together the people who put the act in actionable intelligence. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
No Russian dogs are heard barking in Germany yet.
Iran's APT-33 turns from spying to sabotage.
Equifax woes continue but don't appear to include cover-up of an earlier breach.
UpGuard helps Viacom dodge a cyberbullet.
You may be party to a contract you didn't know about.
Criminal boneheads are again more common than criminal geniuses.
And don't be a gazelle.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, September 20, 2017.
The news from Germany, where federal elections are just four days away,
is still the case of the Russian cyber dog that didn't bark.
German authorities have been bracing themselves for at least a year,
expecting a landslide of Russian influence operations and perhaps hacking,
as Moscow undertakes its expected campaign to tweak and delegitimize the Federal Republic's vote.
But so far, nothing. Not a bark, not a whimper, not a howl or a whine.
Either nothing's in fact going on, or it just hasn't been discovered yet,
or Vladimir Vladimirovich has a September surprise up his sleeve.
We should know before the end of Oktoberfest.
FireEye is describing an Iranian threat group, APT-33, which has been operating since 2013,
and which FireEye has been tracking since May 2016.
The news is not APT-33's existence, but rather its new approach.
The group had hitherto been for the most part an espionage operation serving up spyware,
but it now appears to be running a new destructive malware campaign similar to the sandworm effort that's been associated with Russia.
Reports yesterday that Equifax had sustained an earlier breach that was only now being disclosed
turn out to be only partially true.
The credit bureau did indeed sustain a breach in March,
well before the incident disclosed on September 14th,
but the company did in fact disclose that breach in a relatively timely manner.
The industry press picked it up, big media didn't.
Who was breaching Equifax is still unknown.
Some observers say it had to have been a nation state,
but that's based on the less-than-circumstantial evidence that the hack seemed pretty complicated.
Lawsuits and regulatory scrutiny of Equifax continue.
This morning, a class action suit was filed in the Atlanta federal court
on behalf of small businesses who claim injury from the breach. Equifax's two big competitors, Experian and TransUnion,
aren't alleged to have done anything wrong, but New York's attorney general is pressing them for
answers on their own data security posture. The security firm UpGuard has discovered another
unsecured AWS S3 bucket, this one belonging to Viacom, and exposing the company's IT infrastructure.
Among the items exposed were Viacom's cloud keys.
UpGuard researchers found the exposure on August 30th,
and they describe it as having had the potential to enable, quote,
malicious actors to launch a host of damaging attacks
using the IT infrastructure of one of the world's largest broadcast and media companies, end quote. Viacom acted promptly to secure its cloud infrastructure after UpGuard warned it,
so the gaffe seems to have had little effect.
The reputational damage of exploitation could have been very great,
to say nothing of the direct damage to the company
and those who would have been touched by the botnets and attack platforms that could have been spawned.
The series of hurricanes from the Atlantic this season is responsible for tragic loss of life
and unimaginable destruction in some of the area's worst hit.
It's also left millions without power, highlighting people's reliance on the electrical grid.
It also left millions without power, highlighting people's reliance on the electrical grid.
Even when the power goes off for just a few days, it can have a serious impact and put lives at risk.
Eddie Habibi is founder and CEO of PAS Global,
a company that focuses on the security of the industrial control systems that keep the power flowing. The challenges or the awareness of the ICS, industrial control systems, being a vulnerability
came to be about 10 to 15 years after the typical enterprise IT security was found to
be a challenge for companies.
It wasn't until this disclosures around Stuxnet that we realized as an industry that the manufacturing sector,
the process power, and other industrial sectors were affected as well.
With that in the background, there have been certain misunderstandings as to how we should
handle industrial control systems. In fact, there is this notion that industrial control systems are notown, that there is a hype in the media that the threat of cyber is overblown.
That may be the case in the enterprise IT, but in our view, there's not enough conversation going on around the threats posed towards control systems.
towards control systems.
I think there is a tendency for the general media,
certainly outside of the cybersecurity industry,
to, particularly when they see something like the threat of the electrical grid going down,
to imagine a worst-case scenario.
But I've heard other people say,
yes, we should be worried, but let's also not get carried away.
Anytime there is exaggeration, you have the
cry wolf syndrome, the boy who cried wolf. It does not serve us. It does counteract the real message.
And the real message is if you follow the following set of what-if scenarios, you will very quickly realize that the threat is real, and we have to take it seriously.
You have control systems that are at the heart of the industrial sector, including power, refining oil and gas.
These systems are vulnerable.
Bad actors have proven that they can penetrate them and they can cause shutdown.
Simultaneous attacks on a number of these systems could have a similar consequence to
a natural disaster.
You combine that with the knowledge that certain foreign nation states have shown that they
are interested in cyber as a weapon,
and they are testing those weapons. It is easy to see what the consequences could be,
that a simultaneous shutdown of water utilities power and the oil and gas industry and it doesn't take very much of that. You could literally cripple
a city,
a state, or a
part of a country.
In our estimation, based on
conversations we have had, only
a small fraction of industrial
companies have implemented
what we refer to as
foundational cybersecurity
measures to deal with the issue.
They have performed what we would call perimeter defense measures, firewalls, antivirus.
However, there is much more to do that has not been done.
That's Eddie Habibi from PAS Global.
Yesterday's conference at the Johns Hopkins University covered ground of interest to business leaders,
especially with respect to the implications cyber risk has for their legal and contracting activities.
In his opening remarks, Anton DeBura, director of the Information Security Institute
at the Johns Hopkins University's Whiting School of Engineering,
reviewed his unlucky top 13 list, an inventory of recent security horror shows. He thinks these incidents,
the Equifax breach being the one that's arrived with the most acclot, may have induced the public
to pay attention, and may finally be moving people away from what Deborah called the
gazelle mentality, that is, the comforting thought that if you stay close to the herd, you'll be okay. You won't. Other speakers discussed the opportunity costs sound security
inevitably imposes on organizations. One new addition to the faculty at the Johns Hopkins
School of Advanced International Studies, Thomas Ridd, who just arrived from his previous appointment
in London, offered an overview of the attribution challenge.
Historically informed, Ridd's account argued that attribution is as much art as science.
A panel of legal experts offered advice for businesses.
One highlight, Whiteford Taylor Preston's Howard Feldman
reminded everyone of the importance of contracts
and that you may be bound by contracts you hadn't realized were contracts at all.
For example, he said, quote, your privacy policy on your website is a contract, end
quote.
And Bob Olson, CEO of event sponsor Compass Cybersecurity, closed with some effective
analogies security professionals can use to communicate with the business leaders they
support.
Compare security to a house.
The keys are like credentials.
Security consultants are like security guards, and so on.
The analogies may be homey,
but they may also be an overlooked way of approaching the kind of storytelling security experts continue to tell CISOs and consultants
they need to do with business leaders.
We'll have more detailed coverage of the discussions later this week. Watch the Cyber Wire Daily News briefing for updates. Finally, we've all heard of criminal
masterminds, but we think they're probably as fugitive and scarce as Sasquatch. The criminal
bonehead is a much more representative variety, for your consideration, when Christopher Ricardo
Gonzalez, age 18 and one of the ten most wanted by the state of Texas.
Mr. Gonzalez, with whom the Dallas Police Department very much desired to speak,
was located in the leafy, laid-back Los Angeles neighborhood of Woodland Hills the other day.
The Dallas PD noticed that Mr. Gonzalez had proudly posted an Instagram video of himself
displaying his arsenal of weapons.
The Dallas police extracted Mr. Gonzalez's geolocation, also proudly on display, sent
it to the LAPD and asked them for a solid.
The LAPD obliged, and Mr. Gonzalez is now a temporary guest of Los Angeles' mayor while
he awaits extradition to the Lone Star State.
So kids, remember, if you must embark on an alleged life of alleged crime, never forget,
those who live by the selfie get nabbed by the selfie.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her
maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
Imagine the scenario.
You're sitting home minding your own business or maybe even asleep at night and suddenly FBI
agents come pounding on your door and coming in and they say that they're ready to search your
house for child pornography. So yeah this happened actually in the town of Davis, California which is
just a little bit west of Sacramento. This innocent person heard a bang on his door. He and his roommate panicked. It was the FBI. They were executing a search warrant based on information they received from an AT&T wireless router that somebody within the confines of that house was using child pornography. Of course, the problem was that neither of the two people who occupied the house were using child pornography. It was the 22-year-old man in the apartment next door
who used his, quote, great computer savvy to hack the password protected account.
He was basically viewing child pornography through his neighbor's wireless service. The
person who was actually committing the crime of viewing child pornography
has gone through this long, arduous prosecution.
He has been convicted.
He is going to prison.
They're in the sentencing phase right now,
and it looks like law enforcement is seeking a strict 17-and-a-half-year sentence
on counts of possession and distribution of material involving the sexual exploitation of minors.
And the person, that 22-year-old living next door, has admitted to downloading this pornography,
has admitted to having a problem viewing underage males online,
but he nevertheless says he's not any sort of sexual predator. He's never acted upon
these impulses. He's just somebody who is computer savvy and was able to at least temporarily
disguise his online whereabouts to avoid detection. But luckily, justice is being served for that
individual. And for the neighbors, for the people whose Wi-Fi he hopped on, this was not a matter of them having an unsecured Wi-Fi.
They had done everything right.
They sure have.
And, you know, Dave, none of us really changed our Wi-Fi passwords.
I don't think I've changed mine since I've moved to my house.
This is just not something the average layperson focuses on.
You know, and it can be an extremely traumatic experience for people to have the FBI come in at odd hours of the night, bang on a door, execute a search warrant.
For the story in the Sacramento Bee, they interviewed these two individuals who occupied the apartment, and they seemed pretty traumatized.
One of the people said that he didn't want to feel that shadow of guilt or to have memories come bubbling back up when he least expects it, like staring out a train window on his commute home or when he's trying to fall asleep. I mean, it's almost like
having sort of a post-traumatic experience. And it would be good if there were some accountability
avenues when the FBI does this to innocent people. Now, the FBI here made a good faith mistake,
and they would be able to win any civil suit just based on that justification.
There has to be some way for there to be accountability when innocent people are being subject to these often
violent FBI raids. That's the problem with a probable cause determination. In order to execute
a search warrant like this, you don't have to be 90% sure that a crime has been committed. You just
have to have probable cause. It has to be more probable than not that there's evidence of a crime. And from the FBI's perspective, they think if it's coming from the
wireless server in this house, that makes it more probable than not that the people in the house are
the ones searching this pornography. And that's highly unfortunate, but I don't see that the legal
standard is going to change. All right, Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.