CyberWire Daily - Google Groups oversharing. E-discovery don'ts. Energetic Bear may be back. The CopyKittens seem to be Persian cats. Ethereum hacks (and white hats).
Episode Date: July 25, 2017In today's podcast, we hear that hundreds of enterprises may be oversharing on Google Groups. Wells Fargo works to recover from botched e-discovery. Energetic Bear may be back, with some cunning p...hishbait. Pravda says Russians feel strange new respect in cyberspace. The CopyKittens appear to be Persian cats. Another Ethereum ICO is pilfered, but, contrary to expectations, the White Hat Group looks like a genuine group of white hats. Emily Wilson from Terbium Labs wonder what qualifies at personal information on the Dark Web. FICO's Doug Clare outlines scoring your cyber security posture. And some notes from Vegas. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google Groups shouldn't be sent for oversharing.
Hundreds of enterprises are learning.
Wells Fargo works to repair from botched e-discovery.
Energetic Bear may be back with some cunning fish bait.
Pravda says Russians feel strange new respect in cyberspace.
The copy kittens appear to be Persian cats.
Another Ethereum ICO is pilfered, but contrary to expectations,
the white hat group looks like a genuine group of white hats.
And some notes from Vegas.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 25, 2017.
We've been hearing a fair amount about inadvertently exposed data. In several cases of misconfigured Amazon Web Services S3 buckets,
In several cases of misconfigured Amazon Web Services S3 buckets,
businesses and government organizations have seen some sensitive data made accessible to casual web surfers.
And of course, this is a user issue.
AWS users need to devote proper attention to their access control lists.
And not only AWS users, but now Google Groups users as well.
Security firm Redlock has announced that it's found hundreds of cases in which enterprises have left their information out for inspection. The problem
seems to arise from users' casual choice to make their Google Groups public on the Internet.
Again, this is a user issue, so if you're a devotee of sharing via Google Groups,
make sure you're not oversharing. Wells Fargo, whose outside counsel released information on about 50,000 high-value customers in the course of an e-discovery snafu,
is now receiving the attentions of FINRA, the Financial Industry Regulatory Authority.
That outside counsel said they relied on a vendor to prepare the CDs on which the required documents were provided,
which would make this, we suppose, a case of fourth-party risk. At any rate, Wells Fargo itself has petitioned
the courts to order the return of the data. We take the security and privacy of our customers'
information very seriously, Wells Fargo said in a public statement. Our goals are to ensure the
data is not disseminated, that it is rapidly returned, and that we ensure the discovery process going forward in the cases is working as it should.
Security company CyberInt reports that it's found a new campaign that appears to be prospecting energy utilities.
They're not sure who's behind it, but they think they see signs that it may be energetic bear again.
This campaign installs credential-harvesting malware by an email attachment, specifically a Word document that purports to be an innocent resume, the kind of thing HR and recruiting
offices open all the time.
Neither the document nor the email that carries it has malware embedded in it.
Instead, the document contains a template reference which, upon loading,
connects via server message block to an attack server, after which it downloads a word template
that does carry malicious payloads. The electrical utilities being prospected appear so far to be
largely American, but the campaign is likely to have more widespread effects.
Energetic Bear, like NotPetya, is thought to be the work of Russian intelligence services.
Pravda offers some perhaps uncharacteristic candor about what's up.
At last, they say, citing a poll of Russian attitudes, the foreigners have to respect us.
A spokesman for President Putin tells the information outlet that Russia is a war elephant
in cyberspace and now needs to begin making its hardware
as good as its software.
Clear Sky and Trend Micro yesterday released the results of their research into Copy Kittens,
which they characterize as a cyber espionage group operating from and on behalf of Iran.
The Copy Kittens have been operating since 2013 at least.
Their interests are consistent with nation-state strategic intelligence objectives,
legislative bodies, foreign and defense ministries,
the defense and aerospace industry, academic research institutions, and so on.
The nations principally targeted include Israel, Saudi Arabia, Turkey,
the United States, Jordan, and Germany.
Some recent high-profile victims have been Germany's Bundestag and the Jerusalem Post.
The group uses DNS for both command and control communications and data exfiltration.
Clear Sky and Trend Micro call Copy Kitten's latest campaign Wilted Tulip.
If you're in the U.S., you're surely familiar with your FICO score,
the number that credit agencies provide to give lenders a sense of your credit worthiness.
Well, the folks at FICO are now aiming their ratings analytics at cybersecurity.
Doug Clare is vice president of cybersecurity solutions at FICO.
We got into it as a result of a conversation that FICO had with our breach insurer.
Our insurer came out for the usual
questions about our business, how it's going, what we do, what our practices are. You know,
there was a rhetorical question that was asked, which was, wouldn't it be great if there were a
FICO score for cyber insurance, right, for cyber risk? We kind of scratched our heads and thought
about that a little bit. And the more we thought about it, the more we came to realize that it was probably a tractable problem from an analytics perspective.
There are behaviors and conditions that are measurable that you can empirically correlate
to breach events. It is certainly a very interesting space, right, from an analytics
perspective. But it is, you know, much like a FICO
score or other things that you can tackle with analytics and artificial intelligence and machine
learning. It's a tractable problem and it's one that, you know, I'm sure we're going to improve
upon over time, but it's one that analytics can be applied to effectively. Is this something that
you apply from the outside or does a business invite you to take a look at them? We're able to just look at it from the outside and make a
determination. And we can obviously offer that to the businesses if they're interested. There's
really kind of three use cases for this, right? One is for enterprise self-assessment. So if you
want to, if you're a CISO or a CEO or a board member, and you want to
understand what the risk level is for your organization and what some of the primary
factors of risk are, that's a use case we can support. We can also support the ability for
third parties to make that assessment. Now, in that case, we're very careful about what we share, right? We don't share a lot,
but we can tell you what the score is of a third-party organization. If they're a vendor
of yours, part of your supply chain, or if you're an insurance underwriter, right, and you're looking
to bind breach insurance coverage for an organization, we're able through the score to convey relative risk level to you for that
purpose. And so just like, again, going back to my consumer score, if I have a problem or something
that I disagree with, can I come to you and say, hey, I don't think this is accurate and here's why?
Yes, you can, right? And we've recently done some work with a bunch of organizations. This was an
initiative that was initially spearheaded by
some of the large banks who were asking that very same question, right? We've worked to establish
some principles around this that organizations who provide these ratings, FICO being one of them,
can adhere to that will allow that kind of interaction to take place, right? The principles are geared around, you know, best practices with respect to transparency, confidentiality, ability to remediate and
kind of quality of models and model governance that underpin these scores. So that, you know,
I think a couple of very important things can happen. A, people can have confidence that the scores are empirical, that they're not biased,
and that there is recourse if there are disagreements or if there are errors,
they can be quickly corrected and the right information can be leveraged.
That's Doug Clare from FICO.
Criminals have hit another Ethereum initial coin offering.
On Sunday, about $8.4 million in VARI tokens were stolen from the ICO.
After last week's theft of $32 million in Ethereum cryptocurrency via a flaw in the
wallet's contract, the White Hat Group said they intended to rescue and return Ether exposed
to the same vulnerability.
We were skeptical, but our skepticism was misplaced.
Apparently, the White Hat Group is proving as good as its word.
Motherboard reports the White Hat Group obtained control of about $208 million in Ethereum assets
and will finish returning the funds Monday.
Black Hat, DEF CON, and B-Sides are all this week in Las Vegas.
We'll be offering some updates from the events.
In the meantime, if you're there, do be careful.
The environment is a little like a saloon from an old Western movie,
so watch your virtual back, buckaroos.
Profit from the presentations and your visits to the floor,
but don't connect any USB drives or other media you find lying around.
And be aware that one of the demonstrations at DEF CON will involve the hacking of a smart gun.
This particular model, an Armitix IP1 automatic pistol,
is supposed to be fireable only when the user is wearing an Armitix watch
that functions effectively as an authentication token.
But there are two catches.
First, the researcher, who goes by the nom-to-hack plore, functions effectively as an authentication token. But there are two catches.
First, the researcher, who goes by the nom-de-hack Plore,
has demonstrated that it's possible to block the pistol from being fired even if the authorized user is wearing the watch and holding the weapon.
Signals can be interfered with.
And second, Plore has shown that you can override the safety
by putting a couple of DimeStorm magnets alongside the barrel.
They'll move the electromagnetic servos that were holding the weapon on safe,
and the firing pin is free to use.
Magnets.
Freakin' magnets.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis
at Terbium Labs. Emily, personal information gets sold a lot online in the dark web, which is
one of your areas of expertise.
And you were sort of pondering what counts as personal information these days.
Yeah, I think this is something plenty of people are talking about, not just me. I think we're seeing kind of a shift over time naturally as we move, I think, especially into questions about things like biometric tokenization.
Thank you, Apple, for being able to read my fingerprint. I was thinking about this as a result of some of the
recent point of sale breaches from some different retailers or food service locations. Arby's and
Chipotle come to mind. They have these point of sale breaches. Information is lost, but they put
out press releases and they frame it as, hey, don't worry.
No personal information was compromised.
Okay, I buy that to a certain extent.
These are not health records.
This is a skimmer, so you're probably not going to get full cardholder information off of it.
But what makes personal information?
Is it that we're saying credit card numbers aren't personal information because they're easily changeable and they're not going to impact you but so much because you're not going to bear the burden of the fraud?
Well, how does that change something like a home address?
If you move every year to a new apartment, is it only personal information when it's actively yours?
Where do we draw the line?
For example, a phone number. That's easy enough to change.
Sure. You may have a series of phone numbers. Are they all personal? Is your work phone number
less personal? What about your conference line? You know, what counts as personal information?
And I don't think there's a clear answer. I think this is an ongoing discussion. But
I think it's interesting that these companies are coming out and saying, hey, don't worry.
Your personal information wasn't compromised.
Just your financial information that's tied to you personally.
Well, and certainly anyone who's been through having to change a credit card that you've been using for any serious amount of time.
That is a real annoying thing to have to do.
It's not fun.
No, it is disruptive, to say the least.
It's interesting.
I mean, speaking of the credit card, I mean, I wonder if some of it is who carries the
burden of the change.
Because with the credit card, the credit card company will send you, sometimes they'll detect
it and just send you a new, deactivate your card and send you a new one with a phone number. That's not going to happen.
Right. You know, a phone number, that's definitely on you, right? And, you know, I think
if you're dealing with a phone number or a home address, even, you know, there's a certain point
at which even a credit card number, it may not be tied to just you as an individual. You may have partners or
family members who are also connected to that. And, you know, at what point does it become more
impactful? You know, say you need to change a home phone number. People still have those,
I am told, or an address, right? At that point, it's not just your information. It's not just
your email address. You're dealing with details that are tied to more than one people or, you know, if it's company information, that makes it even messier.
Right, right. All right. It's an interesting thing to ponder. Emily Wilson, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.