CyberWire Daily - Influence operations, da. Direct hacking? Maybe nyet. Chalubo botnet borrows old tricks. Financial sector alert in Mexico. Airline breach disclosed. Lawsuits over privacy. ICS Security notes.
Episode Date: October 25, 2018In today's podcast, we hear that the US Department of Homeland Security sees lower-than-expected rates of Russian election system probing even as Russian information operations continue. Sophos warns ...of the emergence of the Linux-based "Chalubo" botnet. Mexico's Central Bank raises its alert level. Cathay Pacific discloses a breach of passenger information. Privacy-related fines and lawsuits. And notes from the 2018 ICS Cyber Security Conference. Justin Harvey from Accenture joins us to talk about insourcing vs. outsourcing threat intelligence, and Tony Pepper from Egress Software Technologies shares his perspective on protecting unstructured data. For links to all of the stories mentioned in today's podcast, check out our Daily Briefing: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_25.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Department of Homeland Security sees lower-than-expected rates of Russian election system probing,
even as Russian information operations continue.
Sophos warns of the emergence of the Linux-based Chilubo botnet.
Mexico's central bank raises its alert level.
Cathay Pacific discloses a breach of passenger information.
Privacy-related fines and lawsuits.
And notes from the 2018 ICS Cybersecurity Conference.
From the CyberWire studios at DataTribe, with your CyberWire summary for Thursday, October 25,
2018, I'm Peter Kilpie, Executive Editor, sitting in for the still-vacationing Dave Bittner. Dave
will be back in the studio on Monday.
The U.S. Department of Homeland Security is not seeing expected rates of Russian election
system probing, but its National Protection and Programs Directorate doesn't necessarily
find this reassuring, wondering instead what it might be missing.
That information operations have continued is attested to by the recent U.S. indictment
of a Russian troll facilitator. DHS is increasing its assistance to election officials overseeing particularly
close races. The effect of U.S. Cyber Command's campaign of warning Russian information operators
and whatever else Fort Meade may be doing remains to be seen. Some observers see a possible model
for retaliation and deterrence in the quiet information
campaign the U.S. and NATO allies ran against Serbian leader Slobodan Milosevic in the late
1990s. The campaign worked to push Milosevic's key backers, bankrollers, and business partners
away from the dictator. He became increasingly isolated and increasingly vulnerable to the
campaign that eventually took down his regime and ended the war in the Balkans. Sophos Labs reports the discovery of a large botnet that
exploits poorly secured SSH servers and various equally poorly secured IoT devices. Called Chalubo
after its use of the ChaChaStream cipher, the botnet has adapted to run distributed denial
of service attacks. It's Linux-based, but researchers say Chalubo is using obfuscation techniques
usually associated with Windows-based malicious code.
It's also borrowed code from both Xor.ddos and Mirai.
Observers offer the usual sensible recommendations about securing devices.
Familiarity in this case shouldn't breed contempt.
Advice to attend to basic hygiene is
always worth taking seriously. Mexico's central bank has raised the alert level for the country's
financial system after insurer AXA reported sustaining a cyber attack that attempted to
compromise cash payment systems. Hong Kong-based Cafe Pacific has sustained a major data breach.
The airline disclosed yesterday
that almost nine and a half million passengers may have been affected. Personal information
compromised includes passport numbers, identity numbers, credit card numbers, frequent flyer
membership program numbers, customer service comments, and travel history. Cathay Pacific
noticed the suspicious activity in March, confirmed the incident by May, but apparently waited until
this week to notify affected passengers. The UK's Information Commissioner's Office has assessed the
maximum allowable penalty, £500,000, against Facebook for its role in the Cambridge Analytica
data scandal. £500,000 is not much, perhaps, for a company as big as Facebook, but the fact that it's the maximum penalty allowable under the laws that were then current should give companies pause with respect to regulatory risk.
Those risks, at least in terms of the penalties regulators and the courts are able to readily impose, are likely to increase.
The plaintiff's bar is likely to play a significant role in the development of privacy and security standards of practice.
Facebook this week has been served with a lawsuit that alleges the company tracked a user's location even after that user had turned off such tracking.
The plaintiff, says the suit, quote, relied on Facebook's promise that, if he turned the location history off, Facebook would no longer build a location history logging his private location
information, unquote. The plaintiff alleges that Facebook continued to track him without consent.
The lawsuit is similar to a class action suit against Google that alleges similar location
tracking by Google's apps and services even after users changed their device settings to prevent
such tracking. Both suits accuse Facebook and Google with violating California privacy laws. Dave recently talked with Justin Harvey from Accenture on insourcing
versus outsourcing threat intelligence. We'll hear that interview after the break.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back. I wanted to touch today on threat intelligence, and specifically, what's your guidance for
companies to know when they should outsource threat intelligence or keep it inside?
Well, it's not always about threat feeds.
I think that a lot of organizations feel that if they get their threat feeds and they can
install them, that that's enough.
if they get their threat feeds and they can install them, that that's enough.
So that leads us to the conclusion that more and more companies have started to realize that. And they say to themselves, should we insource and collect and curate and analyze the threat
intelligence that we have in our own enterprise, or should we outsource that to a third-party
provider?
And the answer that I think that many of us have come up with is that there's simply not enough skilled people out there that can not only build and run a threat intelligence
organization, but sustain it over time.
And I think that one of the big recommendations that we have is actually consider outsourcing
that to a third party, because it's all about perspective, Dave.
It's all about threat intelligence organizations are only really as good as their aperture.
How much data are they sourcing?
Do they have access to a wide swath of net flow and DNS data and strategic threat intelligence and actually
monitoring and having the capability to access the dark web.
And what we have found is that the more that companies outsource their threat intelligence
to a trusted party, the higher value and actionable threat intelligence they can get from those organizations.
Now, are the two things necessarily completely mutually exclusive? Is it possible to dial in
a little of both, both have an in-house group, but then rely on outsourcing for some of it as well?
Sure, absolutely. Sometimes you don't need a full-fledged threat intelligence team with like
15, 20 guys and gals doing that intelligence.
Sometimes you can get away with one or two people that are acting as intermediaries and medium-level analysts, and then they can take what they're observing within the enterprise and work with a trusted third party.
Also, there are higher levels of risk associated with some forms of threat intelligence.
Let's take the dark web, for instance. There is quite a bit of risk that can be incurred by
creating personas, by infiltrating some of the dark web trading sites and commerce sites for trading PHI, PII, and cardholder data.
And our advice is leave that up to the companies that specialize in that, that have the ability
to invest to create these personas and to do the fake trading and transactions in order to
get access to that data and make it actionable.
Hmm. All right. Justin Harvey, thanks for joining us.
Thank you.
Wednesday's sessions of the 2018 ICS Security Conference continued examination of risk
management and the importance of security operators engaging the realities on the plant
floor.
In a presentation on consequence-driven risk management, LEO Cybersecurity's Clint
Bonduggan stated a first principle,
we do cybersecurity because cyber threats pose a risk to the business. He argued that cyber risks
should not be viewed as process hazards. Identifying consequences helps determine
safety controls and define the possible impact of events. He also offered a skeptical take on
the familiar risk equation, which depends on speculative numbers and lends a specious appearance of rigor to what is in fact a questionable and subjective process.
Two security leaders from Sony, Kristen Demiranville and Stuart King,
described the realities of assessing security in factories.
A security assessment is neither a tour nor a policy enforcement drill.
Their argument was security comes down to people and processes, which is neither surprising
nor controversial, but the lessons they drew were instructive. It is essential to recognize,
they said, that, quote, anything will break production, unquote. That is, surprising events
that you, the security officer, would not expect to be a problem, in fact, can disrupt industrial
processes. It's important to discover the factory and understand how it works,
and it's important to establish trust with the people that work there. Hanging out on the line
and in break rooms will give you a realistic appreciation for the facility's risk.
De Moranville and King said, you will find that not everything that looks like a risk is in fact
a risk, and many things that look benign actually do pose a risk. The factory is, they said, best
understood as a family.
People tend to work there for years.
They know one another well, and they don't know the outsiders
who come through and assess their work family's cybersecurity.
It's important to gain and merit their trust.
We heard Tuesday from Dragos on the Triton Trisis malware
deployed against a Saudi petrochemical facility.
Yesterday, Nozomi's co-founder,
Dr. Andrea Carcano, spoke about their own investigation of the malware,
including the reverse engineering of the probable attack methods.
His conclusion was that the exploitation of industrial control systems is no longer for
the elite. Increased connectivity, readily available exploitation tools and malware samples,
and easily accessible ICS documentation and equipment combined to lower barriers to entry.
The 2018 ICS Cybersecurity Conference concludes today. We'll have more coverage tomorrow.
Barracuda Networks this morning released findings from its recently concluded global research into software-defined wide-area networks. The report, Security, Connectivity, and Control, the Challenges and Opportunities of SD-WAN,
describes the responses of IT and security professionals to questions about SD-WAN deployments.
Their concerns are unsurprising.
They want cost-saving, simplicity, and not the least, security.
Tony Pepper is CEO and co-founder of Egress Software Technologies, a provider of privacy
and risk management software designed to manage and protect unstructured data. Dave spoke with
him earlier about the growing variety and volume of unstructured data and why it can be challenging
for many organizations to protect it. When we talk about unstructured data, we mean any type
of content that really isn't stored in a more traditional structured sense,
so in backend databases. So we are talking about email content, whether that's message content or
attachments, but also any type of files or documents. And they can include audio files
and video files as well. And so what are the challenges when it comes to securing that data?
Well, I think one of
the challenges is really twofold, really. I think the first challenge is what is sensitive and what
is not sensitive. And I think end users have a real difficulty in sometimes being educated on
when to protect that. And again, there are programs like data classification to help, and they go certainly some way to doing that.
But I still think end users in the enterprise are really just unclear as to what is sensitive and what is not sensitive.
So I think that's the first point.
I think the next point is because unstructured data now is being created in different new forms.
So whereas traditionally unstructured data was
typically documents and PowerPoints and PDFs and stuff like that and images, actually now
sort of unstructured data in the modern business is often audio files and very large video files.
Not only is there more volume, but also the individual files, they're just getting bigger.
And so what are your recommendations? How can people go about approaching this problem?
Well, I think the first thing to say is that, you know, the traditional way of solving any
kind of data security is to put it at the boundary, is to kind of almost take it away
from end users, because apparently end users can't figure it out. I think end users can figure it
out. I just think the reality is that the solutions on the market are just either too difficult to use
or ultimately aren't sophisticated enough to be able to aid end users.
So what they've done to approach that is actually take it away.
And lots of technology on the market carries out rule-based regular expression,
policy control at the edge of the network.
But actually, that is not a way to
tackle this long term. The only way to tackle this long term is to deliver capability to end users
that they really engage with, but also really helps them. That actually says, well, using
machine learning, and certainly in our case, we can actually, with a very, very high degree of
probability, suggest what type of data this is, and also either auto-recommend or actually auto-deliver an appropriate level of protection, but done in a way that users are really part of that process.
So that's the first thing.
I think you've got to, you know, you've got to deliver tools around end users that makes them more productive, helps them in their day-to-day job, and automates a lot
of that real confusion. I think that's certainly the first piece. I think the second piece,
I think I just touched on, using modern technology now, I think we're moving away from more
traditional, regular expression-based DLP capability, much more intelligent ways to not only understanding what's sensitive
and what's not sensitive, but let's actually, let's do, let's go that little bit further.
Let's also use machine learning to actually say, well, long before we're going to figure out
if it needs an appropriate level of protection, let's make sure that the information we're sharing
is going to the right recipients. Because actually, if you look at the breaches in information security across the United States and worldwide,
actually, that is the largest segment of breaches of security,
whereby end users in business, not maliciously, but accidentally are communicating with the wrong recipients.
They're just accidentally sharing with people they didn't realize.
wrong recipients. They're just accidentally sharing with people they didn't realize. Maybe Outlook's auto-filled out a recipient, typically with the same name of the person, the first name
of the person they're trying to communicate with. And then it also completes and then it's gone and
then it's too late. So I think we look at this in a much broader sense and kind of say, well,
the first thing we need to do is communicate with the right people. And the next thing we need to
do is make sure that we apply the right level of security and control. And the only way you can do that is using machine learning.
That's Tony Pepper from egress software technologies.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your