CyberWire Daily - Internet shut down in Ethiopia. TRITON ICS malware updates. Security products patched. Cryptocurrency capers.
Episode Date: December 15, 2017In today's podcast, we hear that Ethiopia's government has shut down the country's Internet during a period of unrest. TRITON ICS malware update. The FCC moves away from net neutrality. UK warnings... about cable vulnerabilities. When a keylogger isn’t a keylogger. Security companies patch some products. Pyongyang likes Bitcoin. More on the NiceHash Bitcoin caper. Emily Wilson from Terbium Labs on breach fatigue. Colleen Huber from MediaPro on their 2017 State of Privacy and Security Awareness Report.  And, stick 'em up: your Ether or your life. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ethiopia's government shuts down the country's internet during a period of unrest.
Triton ICS malware update.
The FCC moves away from net neutrality, UK warnings
about cable vulnerabilities, when a keylogger isn't a keylogger, security companies patch
some products, Pyongyang likes Bitcoin, more on the nice hash Bitcoin caper, and stick
them up, your ether or your life.
I'm Dave Bittner with your CyberWire summary for Friday, December 15, 2017.
Unrest and fighting in Ethiopia appear to have prompted the government to shut down most of the country's Internet access.
Twitter and Facebook have been out since Tuesday. Other services are affected as well.
Ethiopian authorities have restricted the
Internet in the past, explaining it as a form of rumor control. The country's access to
the Internet is relatively easy to shut down, as Ethiopia has a single Internet service
provider, Ethio Telecom, which, as it happens, is also state-owned.
Voice of America offers a helpful contrast. Shutting down the Internet in the United States would require the cooperation of more than 2,600 ISPs.
There are other ways of reaching people, dial-up, international telephone calls, satellite phones,
but the ease and familiarity of the Internet are what people have come to depend on.
Investigation into the Triton attack on a Middle Eastern industrial plant continue.
Investigation into the Triton attack on a Middle Eastern industrial plant continue.
FireEye's Mandiant unit is working on the incident, regarded as unusually dangerous because Triton infects safety systems.
A nation-state is widely suspected, with initial suspicion turning toward Iran.
CyberX says the unnamed plant is located in Saudi Arabia.
In the U.S., the Federal Communications Commission has cancelled the net neutrality policy it had operated under. We are unsure of what the implications of this will be, beyond one implication.
Cue the lawyers. A lot of litigation is expected to follow.
The UK's senior military officer warns that Britain's undersea cables are vulnerable to disruption. He sees them as an attractive target for Russian operators.
International cables have been cut, tapped and otherwise meddled with since the First
World War, so we've got about a hundred years of proof of concept to work with here.
Synaptics wants everybody to be clear.
That issue with its keypad on HP laptops involved a debugger.
Synaptics isn't in the keylogger business,
and they'll be taking steps to remove such development tools from their products going forward.
In patching news, two security companies have issued fixes for some of their products.
Fortinet has patched a credential leaking flaw in its VPN client.
Palo Alto Networks also has a patch-out. There's for a hole in its
firewall that could permit remote attacks. We've had a lot to say about Bitcoin lately,
most of it in the context of bad news, so some preliminary clarification is in order.
Bitcoin is used for many legitimate purposes, as well as for the dodgy ones we all too often hear
about. Not only do criminals often demand ransom or other payments in Bitcoin,
but pariah states have an interest in cryptocurrency as well,
because necessity is the mother of invention.
Consider North Korea.
Its finance is crippled by international sanctions.
The DPRK seems to be increasingly turning to Bitcoin as a source of badly needed funds.
There are some signs Pyongyang may be engaged in mining Bitcoin,
but they're also working on the faster payoff attainable by direct theft.
Secure Works has been tracking a phishing campaign
in which North Korean operators circulated a job opening,
CFO for a Bitcoin financial services company based in London.
The company was legitimate, but the position announcement was fish bait, dreamed up in Pyongyang using a spoofed source.
The goal was apparently to find people engaged in trading Bitcoin who could be induced to open
a malicious document that would enable the attackers to harvest their cryptocurrency
credentials and then drain their wallets. Krebs on Security has turned up an interesting fact about last week's attack
on the Bitcoin mining trading platform NiceHash.
The CEO of NiceHash, Matjes Jorjank, did prison time for his role in creating and selling the butterfly botnet.
He was also instrumental in founding the online forum for criminals, Darkode.
He has denied to Slovenian media that he had anything to do with the disappearance of $52
million in Bitcoin from the exchange he runs.
His denials were, according to Krebs, vehement, and we note that indeed he hasn't been accused
of anything.
And lest we think of cryptocurrency crime as being either tech-savvy, subtly socially
engineered, and very white-collar,
we should think again. This story arrives courtesy of the Manhattan District Attorney,
whose office has announced that it's charged a guy in connection with an Ethereum robbery.
One Luis Meza, a New York City resident, has been charged with arranging a stick-up to relieve one of Mr. Meza's friends of said friend's valuables. The stick-up man specifically demanded
the password to the victim's Ethereum wallet. Here's how it happened. Mr. Meza invited his
friend, unnamed in public documents, over to Mr. Meza's apartment for a meeting. The meeting
concluded, and Mr. Meza appeared to call a car service to take his friend home. But once the
friend was in the car, the driver pulled a pistol and demanded the friend's
house keys, wallet, phone, and, significantly, the password to his Ethereum wallet.
The DA says that the day after the kidnapping, some $1.8 million in Ether cryptocurrency
turned up in Mr. Meza's personal account, the friend's digital wallet having been relieved
of a comparable sum.
The DA also says they have video surveillance images from the victim's apartment
showing Mr. Meza letting himself in with the victim's keys
and then exiting with items associated with the victim's digital wallet.
Mr. Meza, who of course is fully entitled to the presumption of innocence,
says he didn't do anything.
Still, the Manhattan DA seems to have enough to make this particular episode of Law & Order
run for only about 20 minutes instead of the full hour, including commercials.
Again, these are allegations.
Anyone mentioned in connection with any alleged crime is considered innocent until proven
guilty. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, we're going to talk today about breach fatigue.
I have a lot of thoughts about this, but before I jump in,
why don't you tell us what you're thinking?
Is it bad to make a joke that I'm tired of this topic?
Ha ha ha ha, yes.
I do have thoughts.
Just as someone who sees so much data all day, every day, getting leaked, letting people know that there are problems. I mean, we were talking earlier about whether it's attacks that are impacting
organizations, call it NotPetya, call it WannaCry,
or breaches that are impacting individuals,
Equifax or the new updated Yahoo count.
The hits just keep coming.
And it's been interesting to watch
both as an individual and as someone in this industry, people get worked up about the next new thing as they should. Equifax was huge. It was. There's nothing else on that scale that we've seen so far.
rightly outraged and rightly concerned for a few weeks, but there are no immediate implications,
whether for the individuals or for the parties that were involved in letting this happen.
And so what is going to be the thing that actually starts driving changes? How are we actually going to break through this? What is something that's going to hold the attention of individuals or
policymakers? Maybe it is Equifax. Maybe I'm
being pessimistic, but I'm feeling pretty pessimistic right now. I agree. And I think
there's several things to unpack here. I think part of it is the victims of this breach aren't
going to see, may never see any results from it. They may never get affected. They may never get
breached. So there's no direct correlation of Equifax got breached and now all my money is gone. It's not like a banking
failure, you know, a savings and loan failure or something like that. So this sort of thing
happened and it's bad. It may not, it may hit me, it may not. And if it does hit me, do I really
know that it was this one that actually hit me? So the direct cause and effect isn't there where people can get really wound up
and go to their policy people and say, you let this happen, I demand you fix it,
and what happened to my money or my safety or whatever?
The other thing I think is, and I'm curious what you think about this,
is no one goes to jail.
No one goes to jail.
And even we're seeing GDPR is going to happen this coming
next year. And even with GDPR, big fines, that's great. No one goes to jail. No one goes to jail.
People have fines, as you mentioned, these fines toward companies, again, let's remember,
not individuals. No one goes to jail. People lose their jobs. People may be brought before Congress and asked difficult questions. But is anyone being held accountable?
I was talking to people about Equifax and people were saying that they had largely been hearing about it as a huge embarrassment.
And they asked me if I thought anything was going to happen to the people responsible.
It's a little sad, but it was it was phrased as a joke. It was phrased as a rhetorical question because they all knew that nothing would happen.
Yeah, these folks, like you say, they get they get brought in front of Congress.
They get asked some difficult questions.
They they suffer through it.
Perhaps they resign.
They retire early.
They still get their golden parachutes.
So I think there's a general feeling that justice is not done when we have these sort of big breaches.
Generally, the companies don't go out of business.
So there isn't even that moral hazard of a company failure.
So there isn't even that moral hazard of a company failure.
And I think that contributes to this feeling of breach fatigue because you're just tired of hearing about some new thing that's impacting you and you never see anything come to fruition. And you mentioned, right, the fact that some of these people are going to be impacted by the Equifax breach.
Some of these individuals, you know, they're going to have a problem, but they're not going to know it's Equifax.
And there's that lack of closure.
But there's also the lack of closure on the responsible parties.
And so it's not even as though you can be outraged and be exhausted by all of this,
but then justice is served.
Everything just keeps turning.
Right, right.
Well, like you, I don't have any answers.
It is frustrating.
Hopefully we'll see a day when some of these policy issues need to be taken care of.
But like you, I just don't, it's hard for me to imagine what's going to be the thing
as these breaches keep getting bigger and bigger.
We say to ourselves, well, this must be the one and it doesn't ever seem to be.
The question, yes, absolutely.
What's going to be the thing?
And also, what does justice look like?
Yeah.
All right, well, I wish we had answers, but I think these are important conversations,
and I appreciate you taking part in it.
Emily Wilson, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
My guest today is Colleen Huber. and compliant. and custom online courseware. They recently published the results of a survey of over 1,000 finance employees, their 2017 State of Privacy and Security Awareness Report.
Colleen Huber joins us to share the results.
Our goal was to identify and improve employee behavior across just that wide range of risk.
So we asked respondents a variety of questions based on real-world scenarios, and then based on those responses, we classified them into three different categories.
So the three categories are three different risk profiles, meaning privacy and security risk, so those respondents who scored the lowest, followed by novices, and then at the top, privacy and security heroes.
And those are just based on the percentage of privacy and security
where behaviors that the respondent identified.
And how did it break down?
How many people fell into each of those categories?
So those people who we classified as risks,
meaning that they posed a risk to their company,
19% of those employees fell into that category,
meaning something like one in five employees.
And that's kind of scary. So we know that it takes just kind of one person to put information
at risk. But when we know that's more like 20% of people, that's really tough. The novices did
better. 51% of the population fit into the area. And these folks had a clue on some things,
but they had pretty serious gaps in other areas. So for example, let's say that I know everything
there is to know about cybersecurity. I change my passwords. I make sure that everything is patched,
but I let somebody just walk in through the front door without checking if they have a badge or if
they're authorized to be there. I would probably be classified as a novice. So these people, in my mind, are still a real source
of concern for an organization. The good news is that about 30% of employees fell into the highest
category, so security heroes, which means they could usually be trusted to do the right thing,
so security heroes, which mean they could usually be trusted to do the right thing,
and usually is the key word there.
And this is the second year of our survey, and I expect that we'll do another survey next year,
but it's kind of hard to say what's more notable in our findings,
the fact that so many people moved from novice to hero, or that the number of people classified as risk really barely changed at all.
Yeah, but let's talk about that.
I mean, year over year,
it seems perhaps that we are headed in the right direction. Yeah, and I'm really, really hopeful
that we're going to continue to see general improvement in the security and privacy
awareness. And I really think that speaks to the work being done by organizations all over the
world and MediaPro included. But there is always more
work to be done. Was there any particular area that stood out to you as really needing improvement or
attention? You know, about 24% of employees were asked a hypothetical question about, you know,
controlling access to their organization's property to their building. So 20% of those
respondents said that they would hold
their office door open for someone who asked to enter, even though they didn't have maybe the
proper identification or they were just nice enough, right? So this is the classic tailgating
story. Based on last year's finding, the general public seems to actually have gotten worse at
recognizing these kinds of security threats. So last year, only about 19% of respondents let the same person through the door. And it's interesting
to me because we spend so much time talking about phishing and information risk, but keeping the
bad guys outside the building is still a pretty big issue. Yeah, it's notable, I think, also,
because it's not so much a technological solution
as it is just human nature.
Right, it's a culture thing.
It's like, how do you create a culture in your company
where it's okay to stop people from coming in the front door
when people want to be polite to each other?
So that act of asking people to check in with security
or to show their
badge can feel awkward. And yet, really, really big companies do that culture piece of it really
well. So we know it's possible. It's just a matter of building that culture into the organization
where it's okay to stop and ask or to stop and ask to see a badge. So was there anything from the results of
this survey that you found particularly surprising? I found it really interesting that we know that
phishing is this hot button issue and study shows that phishing is the primary cause of data
breaches and malware infections. So in our survey, when respondents were presented
with, I think, four emails, they were asked to identify them as phishy or legitimate. Only about
8% of employees proved to be a risk. And that's actually, you know, really decent compared to
all of the other categories. There's also some real improvement from last year when it comes to identifying email phishing.
So 92% of respondents correctly identified an example with a suspicious attachment.
So 92% this year, 75% last year.
What I find so surprising about it, and I want to be optimistic about this phishing number,
because it's the best kind of single risk number
in our whole survey. And yet if just one email with a malicious payload gets through,
the company's toast, right? I mean, let's just take our 8% number and say that, you know,
a company with 5,000 employees, each of these employees gets just 10 phishing emails a year,
and that's 10 that slip through both the technical defenses
that IT has already put in place. So 10 emails for every 5,000 employees, that's 50,000 emails.
And if the fail to recognize rate is only at, what did I say, 8%, that's still 4,000 potentially
dangerous attachments that get downloaded or those links get clicked.
So it's an area where I still think most companies are going to want to spend a lot of effort,
even though the numbers are improving.
That's Colleen Huber from MediaPro.
You can check out the complete survey, the 2017 State of Privacy and Security Awareness Report on their website.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.