CyberWire Daily - Haunted virtual meetings. AWS APIs share vulnerabilities. US Intelligence Community conducts a post mortem on 2020 foreign election interference. Meet the future (a lot like the present, only moreso).
Episode Date: November 19, 2020Ghosts in the virtual machines. Cloudbursts in the forecast. The US Intelligence Community is preparing a report on foreign election interference. CISA has a new interim director. A view of the threat... landscape from Canada. Caleb Barlow from Cynergistek on reclassifying the internet as critical infrastructure. Our guests are Shai Cohen and Brooke Snelling from TransUnion on building trust in a digital consumer landscape. And a look into the near future. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/224 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ghosts in virtual machines, cloud bursts in the forecast,
the U.S. intelligence community is preparing a report on foreign election interference,
CISA has a new interim director, a view of the threat landscape from Canada,
Caleb Barlow from Synergistech on reclassifying the Internet as critical infrastructure,
our guests are Shai Cohen and Brooke Snelling from TransUnion
on building trust in a digital consumer landscape and a look into the near future.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 19th, 2020.
IBM researchers have found and disclosed a vulnerability in Cisco's widely used WebEx
video conferencing service. IBM says it's a major user of WebEx itself,
which is why it looked into the code.
The vulnerability amounts to the potential for haunting.
Someone could join a meeting as a ghost,
unseen among the participants,
but with full access to audio, video, chat,
and screen-sharing capabilities.
The ghost could remain in the form of an audio connection
even after being detected and expelled.
And the ghost could collect information on meeting attendees,
full names, email addresses, and IP addresses
without even being admitted to the conference.
Cisco has patched the vulnerability, and users should apply the fix.
Researchers at security firm Palo Alto Networks have identified a class of Amazon Web Services APIs
that are susceptible to leaking AWS identity and access management users and roles in arbitrary accounts.
The researchers say the risk of the vulnerability can be mitigated by following sound IAM practices.
They may be familiar, but they're nonetheless worth a quick review.
Remove inactive users and roles to reduce the attack surface.
Add random strings to usernames and role names to make them more difficult to guess.
Log in with identity provider and federation so that no additional users are created in the AWS account. Log and monitor all the U.S. intelligence community is preparing a report on foreign attempts to interfere in the 2020 U.S. elections.
An unclassified version is expected to be publicly available in early January.
Preliminary evaluations, according to NPR,
suggest that foreign election interference was, as a recorded future executive put it,
a Y2K event, that is, a widely feared event that never really materialized.
Y2K, for those of you too young or too distracted at
the time to recall the late 1990s worries about the millennium bug, was a widely feared problem
generally believed capable of disabling computers running legacy software written since the 1960s
that identified the year in a date with the last two digits only. So, for example, not 1995, but 95. Once the
calendar flipped over to 2000, the concern was the computer wouldn't know that it was the year 2000
and not the year 1900, and that any functions that were keyed to dates would be hopelessly
out of kilter, and that the effects of the date confusion would cascade throughout systems and
networks with unforeseeable consequences, all of them bad. What actually happened was
really nothing much. The work to remediate the Millennium Bug caught some otherwise buggy
software, and the money thrown at the problem enriched a lot of retired COBOL jockeys,
good for them we say, but the widespread problems really never materialized.
That seems to have been the case with foreign attacks on the 2020 U.S. election.
Widely feared, much prepared against, and in the end not enjoying much success. In 2020, the U.S.
had two things going for it, an engaged CISA actively working with states and the private sector, and a cyber command willing and able to engage forward.
The U.S. Cybersecurity and Infrastructure Security Agency has yet to update its leadership page,
but multiple reports from, for example, Politico and CyberScoop
say that CISA's executive director, Brandon Wales, will lead the agency on an interim basis.
Director Wales joined the Department of Homeland Security in 2005 and has served there ever since,
most recently as a senior career executive and SISA's third-ranking official.
His interim appointment is generally regarded as auguring more continuity than change.
We're in the season during which cybersecurity firms offer their
forecasts for the coming year. We'll be collecting some of those predictions here.
Today's include a comprehensive look at the current and future state of cybersecurity from
the Canadian Centre for Cybersecurity, a look at the evolutionary innovation cybercriminals
techniques are likely to undergo, especially with respect to ransomware,
and a warning about the growing prominence of artificial intelligence
in threat actors' tactics, techniques, and procedures.
The word from Canada is that, quote,
the number of cyber threat actors is rising and they are becoming more sophisticated, end quote.
The center sees the thriving market for cyber tools
and a growing pool of criminal cyber talent
as combining to produce not only more criminal actors but more advanced and aggressive cybercrime.
They expect this trend to continue.
And while cybercrime is the more prevalent threat to Canadian citizens and, really, people everywhere,
the center points out the threat posed by the familiar four nation-states who've long troubled the Five Eyes, Russia, China, Iran, and North Korea.
These, the analysis says, will continue to represent the greatest strategic threat to Canada.
With respect to artificial intelligence and machine learning,
the warning comes from a report prepared by security firm Trend Micro,
in collaboration with Europol, and the United Nations Inter-Regional Crime and Justice Research Institute.
They see several accelerating trends that have already begun.
The potential deep fakes bear for fraud and disinformation, vastly improved password guessing, bots successfully impersonating humans in social media, and AI-supported hacking.
Some of the new threats just over the horizon include successful automation of social engineering
campaigns and the use of AI to manipulate cryptocurrency markets. So the view of the future?
A lot like today, only more so.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The global pandemic has forced many organizations into facing rapid transitions,
enabling their employees to work from home, moving customer transactions online,
or shifting away from in-person meetings and conferences. The Economist Intelligence Unit and TransUnion recently published a report that
highlights digital transformation and which emerging technologies could present challenges
for and increase fraud prevention, economic inclusion, and consumer privacy. The report
is titled New Dimensions of Change, Building Trust
in a Digital Consumer Landscape. Shai Cohen and Brooke Snelling join us from TransUnion.
We hear from Brooke Snelling first. TransUnion decided to partner with the Economist Intelligence
Unit in order to survey a group of executives from around the globe. There were over 1,600 executive surveyed
in order to get some feedback on seven main trends that we saw in the areas of digital
transformation and things that are happening globally in the world. From those surveys,
we came back with kind of three key trends that we were going to focus on and created a global report to
really speak to this is what's happening in the areas of digital transformation, of new things
happening in the world at large. And these are the kind of pain points that the executives are
feeling. The end results of that survey was one major global report and then 10 individual country reports.
Well, Shai, let me switch over to you.
Can you take us through some of the key findings here?
Yes, I would say there is like three major findings.
Digital experience and transactions,
biometric become a big part of the main part
or the main part of authentications
and using machine learnings
to actually prevent and detect fraud across all the different data elements that are coming
into place.
Obviously, we kind of saw a gradual increase in online transactions regardless of the pandemic,
but the pandemic kind of dramatically accelerated that.
dramatically accelerated that.
And also as a result of just more customers transact online,
there is also as a need, the result to protect, you know,
many more transactions.
So more a way of defending, provide consumer insight and detect and prevent fraud is also coming into the place. And the good thing that,
you know, as transactions growing overall, we have more tools to kind of, you know,
address the needs to prevent and detect fraud. Was there anything coming out of the study that
was surprising or unexpected? Let me start
with you, Brooke. Absolutely. I think there was a lot of things that came out of the study that
surprised me. One of them was metrics around artificial intelligence, AI, and machine learning.
It was very interesting to me that 43% of the respondents believed the greatest benefit that
AI would have to their organization
was in the areas of fraud prevention and security.
And as we kind of were delving into that, considering that really good AI really requires
very good data, my favorite metaphor is as though you're cooking, you can have the best
chef, you can have the best pots, you can have the best kitchen in the world.
But if you're starting out with rotten tomatoes, your soup is going to be terrible.
It doesn't matter.
So you have to have the really good data and a really good team that knows what to do with the data.
You have to have a lot of transactions to train on that data.
And that requires resources.
And so I feel like one of the things that we really found in this report was
that businesses want this AI, they want to be able to use it for fraud and security, but they're
feeling this pain of lack of resources and what is required to be able to use this AI. And so to
really be able to find those partners that have all that good data, that know what to do with
that data to really enable businesses to use it for the purposes of fraud prevention and security
in particular. Our thanks to Shai Cohen and Brooke Snelling from TransUnion for joining us.
The report is titled New Dimensions of Change, Building Trust in a Digital Consumer Landscape. Thank you. partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Caleb Barlow.
He is the CEO at Synergistech.
Caleb, it's always great to have you back.
I want to touch base with you about some of the things that we've learned
as we've made our way through this pandemic journey
and the importance of some of the things that we take for granted.
You know, when we're talking about things like critical infrastructure,
I know you have some thoughts here.
Well, today CISA defines 16 critical infrastructure sectors.
And these are, well, honestly, Dave, they're kind of the critical infrastructure you define in a World War II world, right?
Energy, healthcare, communications.
I don't know about your household, but my critical infrastructure are things like Zoom, Twitter, email, Comcast, right?
Now, Comcast is a good example.
There actually are critical infrastructure
because they're a communications provider.
But what about Twitter, Dave?
If the president of the United States uses Twitter
as the primary means to communicate with a populace,
whether you agree or disagree
with some of the things he says,
isn't that by definition critical infrastructure, especially when we now know that a 17-year-old can breach
that and tweet other things? And we've all talked about that breach of what could have happened,
right? But do we need to think about these other areas as critical infrastructure. And, you know, we don't
need to look any further than recent cyber activity of companies like Zoom, right? Zoom is how we
educate our children right now, how we go to work, and how we have parties with friends, all on Zoom
today. Probably need to rethink about how important applications like that are to us.
We talked about Twitter. What about Garmin? Now, here's another interesting example, right? So,
in the case of Garmin, they went down with a ransomware incident, but what is Garmin used for?
Garmin is, for all intents and purposes, a life safety device. It's also a, you know,
a cool little thing I wear on my wrist to, on my wrist to figure out what my workout looks like.
But if I'm an aviator or a mariner, I depend on Garmin for my life.
And maybe we need to rethink these things in a different way because if that data can be manipulated, if it can be changed, and if it can be accessed for ransomware, then there's a pretty good chance you can access this type of data
to change it. And I'm not picking on Garmin specifically, but just think about this as an
example, right? Now, Dave, I don't know if you know this, but I'm a lobster man. I'm a big mariner.
And that happens to be also where I listen to the cyber wire is why I capture lobsters, right?
But I got to tell you, there are
some places I go with my boat that I wouldn't dare to go 20 years ago because, you know, there are
rocks in certain areas and I need to know exactly where I am. And if I know where I am, it's great
cruising. And guess what? That's where the good lobsters are. But if I can't trust that, then my whole world changes in terms of how I think about it.
And I guess my point here is maybe there are some new critical infrastructures that we all need to think about coming out of COVID.
I mean, the internet is probably the critical infrastructure of all critical infrastructures.
And I would argue that as a country, we don't put the type of thought we need to put into keeping that running like we put into the energy grid or like we put into hospitals or like we put into transportation.
And maybe we need to change our point of view.
What would that look like in your mind?
Well, so you get into a tough balance, right, of, you know, this isn't going, oh my gosh,
bring in the regulators and lock everything down. But it does mean we need to think about some
things in new ways. I mean, probably a great example of this in looking at the Twitter breach
as an example is how many employees there actually had access that they could change and post on
behalf of one of their clients. Simple separation of
duties would have prevented that, right? You know, these various types of security provisions,
expectations, third-party audits, maybe in some cases regulatory formats, and I'm not necessarily
saying that's the way to go, but the point is we've got to stop thinking about Facebook and Twitter and Amazon as social media apps or places where I buy things.
We've got to start thinking about these things as the lifeblood of our economy, the lifeblood of who we are.
Because if they go down, we're down.
I mean, what would your life be like during this pandemic, Dave, if you didn't have the internet?
It couldn't work.
No.
What if you didn't have Amazon?
Like how different would your life be right now
if you didn't have Amazon?
Yeah, I mean, I think these are all,
I mean, it's an excellent point
and something to be mindful of.
I guess I worry that it could be
a be careful what you ask for situation because
is it incorrect to say that with being categorized as critical infrastructure,
there comes all sorts of regulatory regimes with that? Well, maybe we need to refine what
critical infrastructure is. Maybe it's not about bringing in the regulators. Maybe it's about making sure that we have a contract of trust with these companies that
no matter what, they can protect our data.
No matter what, they've got resiliency plans to keep on running.
And look, there have been some amazing hero stories in here too, right?
I mean, not for nothing, but let's give a little kudos to Amazon in this in that, I mean, think of how much infrastructure runs on their servers.
Hasn't gone down, still working.
I'm still getting my packages at home, and I'm ordering a heck of a lot more than I ever did before, right?
I mean, so there are some amazing positive stories in this as well.
stories in this as well. But we really need to think about how critical different parts of our world are than a past generation. And we've got to flip the switch from World War II thinking
to 2020 thinking. All right. Interesting insights as always. Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed because you're worth it.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Varun Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Terrell Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.