CyberWire Daily - Getting tangled up in the blockchain. RDS vulnerabilities. The language of fraud. An offer of help to the G19.Draft Episode for Nov 16, 2022
Episode Date: November 16, 2022Blockchains and cryptocurrency exchanges, and the risks they present. Vulnerabilities in Amazon RDS may expose PII. A study of the language of fraud. Tim Starks from Washington Post's Cybersecurity 20...2 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani of Cenovus Energy with insights from the world of OT cyber. And President Zelenskyy offers the benefit of Ukraine's experience with cyber warfare to the "G19”. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/220 Selected reading. Cryptocurrency sector vulnerabilities. (CyberWire) Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots (Mitiga) Amazon RDS may expose PII. (CyberWire) The specious language of fraud. (CyberWire) Zelensky offers G20 leaders to use Ukrainian experience in cyber defense (Ukrinform) Ukraine at D+265: A missile campaign punctuates diplomacy. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Blockchains, cryptocurrency exchanges, and the risks they present.
Vulnerabilities in Amazon RDS may expose PII.
A study of the language of fraud.
Tim Starks from the Washington Post Cybersecurity 202 on a lagging DHS cyber doomsday report.
Our guest is Ashif Samnani of Synovus Energy with insights from the world of OT cyber.
And President Zelensky offers the benefit of Ukraine's experience with cyber warfare to the G19.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 16th, 2022.
A report from Moody's says that the cryptocurrency ecosystem's vulnerability to cyberattacks
is restricting the sector's growth.
Moody's says this trend was most recently highlighted by the hacks sustained by FTX
shortly after the exchange filed for Chapter 11 bankruptcy last week.
Moody's explains that applications built
on the blockchain rely on a tangle of technologies that opens them up to attacks. The report explains,
The ecosystem relies on a series of technological layers, such as the user interface, smart
contracts, the blockchain program, and the hardware infrastructure. Each segment can be susceptible to vulnerabilities.
In particular, smart contracts, programs running automatically when predetermined conditions are met,
present novel challenges.
Whereas bugs can remain hidden for a long time in conventional applications,
hackers can easily identify flaws in a smart contract because their code is often open source.
Their automated nature and ability to hold crypto assets also enable thieves to exploit logical errors to steal funds.
Moody's researchers note that more attacks are now targeting decentralized finance companies compared to centralized finance. Not only do they hold
large sums of cryptocurrency, but they're also susceptible to many of the same issues that
affect crypto exchanges. The recent collapse, bankruptcy, and compromise of the FTX crypto
exchange bring many of these vulnerabilities into relief. Coindesk describes a hack sustained by FTX several hours after the exchange filed for
bankruptcy. Unknown hackers stole more than $600 million from FTX crypto wallets. Wired outlines
the efforts industry and law enforcement are taking to track the stolen funds.
Mitiga released research today discussing the exposure of PII in Amazon Relational Database Service snapshots.
Amazon RDS is a platform-as-a-service that provides a database platform based on optional engines such as MySQL and PostgreSQL, and RDS snapshots are used to help backup databases.
and PostgreSQL, and RDS snapshots are used to help backup databases. Researchers discovered RDS snapshots that were shared publicly for hours, days, and weeks, both intentionally and by mistake,
and created a way to exploit the issue to mimic attackers. The team created an AWS native
technique to extract information from RDS snapshots. Researchers found that the total
number of snapshots seen in the month analyzed was 2,783, and of those, 810 were exposed during
the time frame being analyzed. 1,859 of the snapshots were exposed for only a day or two.
This was also discovered to be occurring worldwide. The Mitica team says that
an email should be sent from Amazon notifying you of a public snapshot in your account after
sharing a snapshot publicly. There is also a tool called AWS Trusted Advisor that recommends steps
to improve your environment in different ways, costs, performance, and security. Public snapshots
will cause the trusted advisor widget to warn of an action recommended. Provided in the research
as well are ways to check for public snapshots. So, let's talk fraud for a couple minutes.
The crooks do, and they speak it fluently. A report from Visa and Wakefield Research describes the effectiveness of the language used in social engineering attacks.
The researchers found that 48% of respondents believe they can recognize a scam,
but 73% are susceptible to common phrases used by scammers.
As you might expect, the language that appears in the most successful scams
usually suggests urgency. These attempts at fraud contain phrases such as,
win online free gift card, free giveaway, exclusive deal, act now, limited time offer,
urgent, click here, and action needed. They're calculated to induce the sort of haste and
suspension of the mark's critical faculties. That's likely to induce the sort of haste and suspension of the mark's critical
faculties that's likely to induce them to click here right now. One interesting side finding that
emerged in the study is that self-confidence seems inversely correlated with a user's actual ability
to withstand swallowing the fish bait, hook, line, and sinker. The researchers found
that respondents who are confident in their ability to recognize scams are actually more
likely to fall victim to them, and people tended to think that others, not themselves, would be
more susceptible to scams. The study found, while consumers feel confident in their own vigilance, the vast majority, 90%, are concerned that friends or family members may fall for potential scams
that include emails or text messages asking people to verify their account information,
asking about overdrawn banking accounts,
and notifying them about winning a gift card or product from an online shopping site.
It's nice that people
are concerned for their loved ones, but they might benefit from some realistic self-examination.
Our culture desk has long argued that Americans in particular overvalue self-confidence,
maybe because of too many viewings of the Wizard of Oz during childhood. Anywho, if you think you're too smart to fall for
the snake oil salesman's ballyhoo, guess what? You've probably already ordered a case or two.
Come to think of it, didn't Oz the Great and Terrible start out selling snake oil at a fair
in Omaha? And finally, in an address to the G20 delivered by Videolink, President Zelensky offered friendly nations the benefit of Ukraine's experience
of resisting Russian cyberattacks during Russia's hybrid war.
He addressed the gathering as the G19, since in his view,
Russia's assumption of the role of what he describes as a terrorist state
disqualifies it from the respect and consideration due to a G20 member.
His comments to the G20's Digital Transformation Summit
commended the creation of cyber-auxiliary forces and migration to more resilient cloud services
as centerpieces of Ukraine's cyber defense program.
Such measures have, he said, enabled Ukraine to continue to deliver
essential services even under continuous attack, and he offered Ukraine's assistance to friendly
nations interested in similarly organizing their online services. He closed with a plea for and
an offer of close cooperation for cybersecurity.
Coming up after the break, Tim Starks from the Washington Post Cybersecurity 202 on a lagging DHS cyber doomsday report.
Our guest is Ashif Samnani from Synovus Energy with insights from the world of OT cyber.
Stay with us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
Ashif Samnani is Industrial Control System Cybersecurity Leader at Synovus Energy. I recently
spoke with him on our Control Loop podcast about some of the changes
he's witnessed in nearly two decades in the OT and ICS world. Within the OT side, I've seen
automation of discovery of new vulnerabilities and threats within the environment. The technology
has been evolving. So what we've been doing in the IT space is similar to what we're now doing
in the OT space, right? So there has been an involvement in the types of technologies we've been doing in the IT space is similar to what we're now doing in the OT space, right?
So there has been an involvement in the types of technologies we've seen.
Even the evolution of threats within the space have become far more apparent, right?
I remember back in 2012, I was doing some research around Stuxnet.
That was one of the first significant cybersecurity threats within the
OT space. And now we see quite a bit relative to the OT
area. Nothing as prominent as Stuxnet, but we've
seen quite a bit. So it's just an evolving space within the OT and
ICS area of cybersecurity.
I'm curious, it's practically a cliche that there's tension
between the IT and the OT sides of the house.
I'm wondering, in your experience, how accurate that is.
Have we gotten to the point where teams are getting past that?
We're evolving now because the IT and OT space
is slowly starting to converge.
I'd say, let's flip back to 2012 when I first did OT cybersecurity.
There was a large disconnect between the organizations, between the IT and OT space when I worked
at Spectra Energy.
The business was not adopting best practices that IT dictates.
Plus, you also have the mindset of an IT person going into an OT space.
Typically, OT personnel are engineers.
They understand the technologies a little bit better.
But nowadays, you're seeing the IT and OT teams working very closely
because they understand that OT threats primarily stem from IT-specific incidents.
So we're seeing tremendous adoption,
especially the fact that, like I said,
new regulatory requirements are coming into place.
So we need to ensure that the OT space is secured
and they're working great closely with IT.
So regulatory requirements really drive a lot of the spaces,
plus also the known incidents, for instance,
like Colonial that resonated with the OT groups
and they were concerned about their security posture.
So they're working closely with the IT teams and stuff, right?
I know at the current company,
we work very closely with the various teams
within the OT space.
So we don't see much of an issue these days.
But if we flash back like five to six years ago, or even 10 years, yes, there was a significant
issue in terms of working with the IT group.
Where do you suppose we're headed here as you look towards the next few years?
Any notions for how things are going to evolve?
Yeah, I could speak a few.
For instance, in the OT space,
and this has already happened,
is adoption of cloud within the OT space.
That's one of the things that we're facing,
especially with companies such as AWS
that are building specific data lakes
related to data historians,
which is not commonly found.
So now what's happening is the boundaries of the OT,
they're changing.
We're not only going into the IT network,
but we're going to the cloud.
So that's an adoption that I see.
In addition, the new technologies which are coming out
that leverages AI and machine learning
to detect threats and vulnerabilities. We've seen a lot of those coming up, but I think that's
growing. The threat and vulnerability platforms are evolving also.
Maybe next generation threat management systems are coming into play,
which fare better in the OT space.
Typically, technologies right now, based off of the architecture, they don't fare well.
Sometimes we don't have that complete visibility.
But I think we'll see find better technologies within the space.
Are you optimistic that we're going to get there, that we'll get a good handle on these things?
I'm very optimistic.
I've seen this industry grow over the last 10 years,
specifically the OT area.
I think we'll get there.
And as regulatory requirements come into play,
another one I forgot to mention was Bill C-26,
which is in Canada,
that takes cybersecurity requirements for critical infrastructure companies
that employ critical infrastructure, right?
So I feel heavily confident that we will get there, right?
It'll take a little bit of time, but I'm sure with the executives
understanding the new requirements from a compliance standpoint
and the evolving threat landscape, they'll take this a lot more seriously and consider the investment.
That's Ashif Samnani from Synovus Energy. You can hear the rest of our interview on
the Control Loop podcast. Search for it on your favorite podcast app. And it's my pleasure to welcome back to the show Tim Starks.
He is the author of the Cybersecurity 202 at the Washington Post.
Tim, always great to welcome you back.
You had an interesting report
in the Cybersecurity 202 today about a plan for continuity when it comes to cybersecurity
in the government and perhaps some areas where it's coming up short. Can you
unpack it for us here? What's going on? Yeah, so I really do love covering cybersecurity,
it for us here? What's going on? Yeah, so I really do love covering cybersecurity,
but this is one of those topics that sometimes when people have used the word continuity of blank,
it sounds almost too nerdy for me even. But it's very important. What had been recommended by the Cyberspace Silarium Commission, which has been really responsible for a lot of
what Congress has been up to the last couple of years.
Two years ago, they put in there a requirement for the administration to put together a continuity of the economy plan.
And the idea was to riff off of the continuity of government and continuity of operations
kind of plans we've been talking about since the Cold War.
If a nuclear device went off, how do we keep the government functioning?
In this case, they're talking about how do we keep the government functioning? In this case,
they're talking about how do you keep the economy functioning if there's this kind of national level cyber attack that takes everything down? What came up yesterday at a House Homeland Security
hearing is that this plan has been sitting on the shelf and not getting hardly anything done on it.
And DHS won't even answer what it is that they have or haven't done.
So Alejandro Mayorkas got confronted about that at the hearing yesterday. I called DHS to see if
they would tell me anything. I called CISA. I called the White House. They all referred me to
each other. So it's kind of in a bind of nobody seems to be doing anything with it and nobody
seems interested in talking about what they are or aren't doing with it.
You have this quote in your article today where it says the decision to send the job to CISA was, quote, pretty much setting the agency up for failure, according to Garbino.
Can you provide some context to that?
Yes.
So, yeah, Congressman Garbino, he had brought this up at the hearing.
What had happened was in the spring of this year, the White House decided to direct CISA to be the lead on this.
was, first off, giving them the job 15 months into after it was something they were told to do means they're probably not going to finish it by January of this year, which is
the, sorry, January of next year, which is the deadline.
That's putting them really behind on a deadline that was probably going to be hard for them
to hit anyway, in part because, you know, if you've covered the government long enough,
you know, they don't always hit these deadlines.
In fact, they rarely do.
So that's putting them in a tough spot.
And even though CISA has an increasingly growing budget,
it's really swollen by billions over the last couple of years,
it still doesn't have,
and in the conversation I had with Mark Montgomery,
who was the executive director of the Solarium Commission,
doesn't maybe have the number of people it needs.
Congress had given them $200,000 for this, but maybe that's not going to be enough if
you're having to do things like decide what happens if the economy is ruined.
Yeah, that, just that little thing.
Just that little thing.
Yeah, yeah.
So where do you suppose we stand then?
I mean, it sounds to me like that deadline will likely come and go, but does this shine a light on it to maybe elevate its status in terms of attention, at least?
Yeah.
Actually, one of the things I was thinking about was, I'm not being an activist, but this is something that seems like it's not getting anywhere.
And when you're a reporter wanting to hold the government to account, you hope that shining
light on it will at least prompt some discussion about it.
Mark Montgomery, who I mentioned just a second ago, said he's hopeful that they'll at least
have a plan for a plan.
So that gives you a sense of where the optimism is about what's going to unfold here.
I think that that is a reasonable guess.
They'll say, okay, gosh, we didn't get this done,
but here's how we're going to do it.
And I didn't mention this in the story,
but one of the things Mark says he's doing
is working on almost basically drafting it for them
to say, hey, here's what we think you should be doing.
So maybe that will help them a little bit too.
If they see a version of the plan,
maybe it'll trigger their imaginations
to figure out how to go about doing it.
In the time we have left here, you also, in the Cybersecurity 202, speak about Christopher Wray, the FBI director, expressing some concerns about TikTok.
What's going on there?
Yes, he did get asked at the hearing about concerns about TikTok and its Chinese ownership and whether that presents any national security concerns.
He did, in fact, say he has those national security concerns,
but he wouldn't elaborate on what those were
because he said that would be the kind of thing
they'd need to do in a classified setting.
So behind closed doors is probably
when anybody would hear the answers to that,
and it would mainly be Congress.
One thing he did add, though,
is that there is the Committee on Foreign Investment in the United States,
which is this very special secretive panel that looks at the subject matter that's in its name.
He said that he has input to that, and he has made that input known.
We have reported at the Post that they have agreed to a couple things TikTok has.
Some additional oversight, some additional cybersecurity measures that they would be expected to do.
A deal is not imminent.
And that was as of just a few weeks ago that we reported that.
So it looks like this is going to be something we're going to be wrestling with for a little while longer, to say the least.
Yeah.
All right.
Well, Tim Starks is the author of the Cybersecurity 202
at The Washington Post.
Thanks so much for joining us, Tim.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Carol Terrio, Maria Vermatzis, Ben Yellen, Nick Vilecki, Thanks for listening. We'll see you back here tomorrow. Thank you. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.