CyberWire Daily - Israel said to have tipped the US off concerning Kaspersky risks. Accenture databases exposed. Deloitte breach may be worse than initially thought.
Episode Date: October 11, 2017In today's CyberWire, we discuss why the US Intelligence Community got prickly about Kaspersky: their Israeli colleagues tipped them off that something was fishy in the software's use. UpGuard sa...ys Accenture left some AWS data buckets exposed. Accenture says they were associated with decommissioned systems, but exposed they seem to have been. Sources say Deloitte's breach is worse than hitherto disclosed, with more than three-hundred clients exposed. Joe Carrigan from JHU ISI with some follow-up from a listener on password security when using password managers. Brian NeSmith from Arctic Wolf with results from an IoT ransomware survey. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Cylance uses cutting edge artificial intelligence to help protect your systems. If you are a woman in cyber security and want make connections with others in the field, check out our own Women in Cyber Security event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Why did the U.S. intelligence community get starchy about Kaspersky last year?
Their Israeli colleagues tipped them off that something was fishy in the software's use. UpGuard says Accenture left some AWS data buckets exposed. Accenture says they were
associated with decommissioned systems, but exposed they seem to have been. Sources say
Deloitte's breach is worse than hitherto disclosed, with more than 300 clients exposed.
clients exposed. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday,
October 11, 2017. The New York Times and other outlets reported late yesterday that Israeli intelligence officers tipped off their U.S. National Security Agency counterparts that
Kaspersky software had been used to gain access
to devices holding highly classified American intelligence documents. Israeli intelligence
services monitoring Russian activity saw them using Kaspersky software as what the New York
Times calls an improvised search engine. They notified their American colleagues and the Times
reports, this is the background to the U.S. government's decision to ban Kaspersky products from its networks.
Israeli intelligence services penetrated Kaspersky in 2014, sources say.
Kaspersky discovered and disclosed without attribution Israeli presence on its networks in 2015.
It connected the activity to the Dooku family of cyber espionage tools.
Antivirus software is an attractive target because of the system access it receives.
Kaspersky's products have the reputation of being particularly aggressive in their scans of the
devices they're installed to protect. Kaspersky has long represented that as a feature, not a flaw,
saying that such scanning increases
their ability to offer protection against little-known and unfamiliar threats.
Of course, should such scanning be compromised, it can be exploited to look for sensitive
material on the devices it's protecting.
And that's what sources in the U.S. government say happened in this case.
An NSA contractor's machine with Kaspersky security software installed was hacked by Russian
intelligence services, probably the FSB by most accounts, who knew exactly what files they wanted,
and those are the files they got. The U.S. government decided to ban Kaspersky security
software from its networks on September 13, 2017, when the Department of Homeland Security issued Binding
Operational Directive 17-01. The directive came after months of quiet warnings by intelligence
and federal law enforcement organizations of the risks Kaspersky Software presented.
Kaspersky Lab itself denied that its products were being used to collect intelligence on behalf of
Russian or any other national intelligence services,
and called for the U.S. government to, in effect, put up or shut up about the widely used security software.
All questions about the undeniable tension between Russia and the U.S. aside,
this would appear to be at least part of the evidence Kaspersky challenged the U.S. to present.
Kaspersky's precise relationship to the alleged exploit remains unclear.
If their software was indeed exploited,
one can take one of the following positions on the incident.
Either one of these possibilities, or even some mix of all of them,
are likely to be true.
Either Kaspersky cooperated with Russian intelligence services
and delivered its products up for espionage purposes,
or the Russian services hacked Kaspersky without its knowledge,
or the Russian services succeeded in infiltrating agents into the company
without the company's executives' knowledge.
A number of observers think it unlikely that any Russian company
would be able to refuse a request from their country's security services.
Another major consultancy has suffered data exposure.
UpGuard reports that on September 17,
their researchers found sensitive data belonging to Accenture
exposed in four unsecured Amazon Web Services S3 buckets.
It's unclear whether the data, now secured, were obtained by bad actors.
Accenture says the only unauthorized scan they've detected came from UpGuard.
Accenture also says the material exposed,
including keys and credentials, was related to a decommissioned system.
Deloitte's breach may have grown worse.
The Guardian reports that 350 clients,
including U.S. government agencies and multinational corporations,
suffered exposure.
Deloitte, which had put the number of affected clients at six, disputes the report.
The number of data exposures being reported in companies that are well-resourced
and sophisticated with respect to security is striking.
It seems failure to securely configure databases in the cloud is common.
We can offer a couple of conjectures about why this is so.
First, the cloud is so easy and seems to do so much that it can appear to users that their cloud
service probably handles security implementation, encryption, and other basic elements of cyber
hygiene. Unfortunately, that isn't so. These matters are generally the user's responsibility,
although some cloud vendors, notably Amazon,
are working to give their users as much help attending to these matters as they reasonably can.
And second, organizationally, it may be fatally easy to regard configuring your AWS S3 buckets
as a routine IT task.
Well, if there's any big lesson from the past two quarters, it's this.
Organizational leaders pay attention to
cloud security. The security of IoT devices remains an ongoing challenge, and the folks at Arctic Wolf
Networks recently published the results from a survey titled, Ransomware of Things, When Ransomware
and IoT Collide. Brian Nesmith is CEO at Arctic Wolf, and he shares insights from the report.
A couple of good things stand out. The first is that, one, everybody wants their IoT devices to
be connected. The idea of just getting a device that I'm not going to plug into a network,
I want to be able to remotely control it, I want to be able to configure it and manage it.
And at the same time, a bit of cognitive dissonance. I want to connect to the internet,
and whatever security
exists on that device, I'm not really going to build anything else. So a bit of inconsistent
view, which is I need something, but I'm not necessarily going to worry about the security.
I'm going to depend on the vendor to make sure they're doing the right thing to secure that
device. And is that a realistic expectation? I think much like you see in other parts of your infrastructure,
you have to build a layered defense and adding monitoring and detection of failures in your
security is a critical part of making it. And that applies to IoT like it applies to laptops
and servers and every other device that you have in your network.
One of the interesting statistics I saw that you sent over was it said that nearly
everyone expressed concern about ransomware, but almost half of them would rather pay off the
cyber criminals with ransom than to adequately patch and protect their systems ahead of time.
So this sort of reactive rather than proactive approach was preferred.
Yeah, you see, I guess what I would say is overall general view, which is I find it
impossible to keep everything patched. So if I do get compromised, I'm going to bet on, you know,
my ability just to pay the ransom and that's the way I'll recover. Or I'm going to restore from
backups. I think to some extent you can consider it a form of just kicking your head in the sand,
just hoping it doesn't happen to me. I suppose there's some good news to be taken from this.
The survey pointed out that more than half of the organizations have a dedicated response plan.
I would have said that in general, people have an idea,
okay, what am I going to do if I get hit with ransomware, if I get my devices compromised?
To some extent, I think, like you said, the incident response plan
could be, I'm just going to pay the ransom and then restore it. In other cases, they've gotten
a bit more sophisticated with backup. But there is definitely a growing threat in this area. We're
seeing more and more small businesses getting attacked using IoT. And it's the sort of thing
that you can't ignore. It's not like a PC that you have on somebody's desktop where you can deal with it at a later date.
If they compromise your heating system and it's the middle of winter, you've got to deal with it.
So it begins an immediacy and something that's very apparent to a lot of organizations.
Looking at the results of the survey, what were the take-homes for you
in terms of advice you would give to organizations who are dealing with these IoT issues?
I would start with by recognizing that IoT devices are built on standard, much older operating systems.
And the organization can't depend completely on the vendor that's supplying those devices that they're going to stay patched and up-to-date.
on the vendor that's supplying those devices that they're going to stay patched and up to date.
They're oftentimes packaged as a black box,
but inside them is Windows CE,
Windows 3.1, Windows 95,
very old versions of Linux.
And that organizations need to be more proactive
and realize that this is a vector
that if they get compromised,
it can be used to attack other parts of their infrastructure.
Hackers only have to find the weakest link. And the weakest link increasingly is going to be most likely an IoT device.
That's Brian Nesmith from Arctic Wolf. At AUSA yesterday, there was much discussion among
attendees of the growing convergence of cyber operations with traditional electronic warfare
disciplines. Those whose memories extend to the Cold War endgame
found the discussion of the electronic threat very familiar.
Now, as then, Russian electronic attack capabilities
were highly respected and much feared.
This threat, with the rise of hybrid war,
has now been transposed into the cyber domain.
We'll have discussions of these and other matters later this week
as the annual conference
wraps up. Calling all sellers. Salesforce is hiring account executives to join us on the
cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. like to tell you about some research from our sponsor silence good policy is informed by sound
technical understanding the crypto wars aren't over silence would like to share some thoughts
from icit on the surveillance state and censorship and about the conundrum of censorship legislation
they've concluded that recent efforts by governments to weaken encryption introduce
exploitable vulnerabilities into applications and develop nation-state dragnet surveillance programs,
will do little to stymie the rise in terrorist attacks.
These efforts will be a detriment to national security
and only further exhaust law enforcement resources
and obfuscate adversary communiques with a massive cloud of noise.
Back doors for the good guys means back doors for the bad guys,
and it's next to impossible to keep the lone wolves from hearing the howling of the pack. Go to silence.com and
take a look at their blog for reflections on surveillance, censorship, and security.
And we thank Silence for sponsoring our show.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
You know, we got some response from a listener about one of our recent segments.
We were talking about password managers and password safety and so forth. And one of the things that we talked about was the possibility that if you are using a password manager, perhaps you're putting all your eggs in one basket and how
important it is to use multi-factor authentication. This listener sent in a clever bit of information.
What they said they did, I'm not going to say their name because they didn't tell us we could
use it on the air, but they said that what they do is they let the password manager automatically
generate a random string. Let's just say it's 20 characters long. So they have the password
manager automatically fill in that string, but then they append that string with a four-digit
code that they know, a number or a phrase, whatever, that's meaningful to them, that
they can remember, that they add to every one of these
randomly generated passwords. Okay. So the point is, they have this randomly generated password
that the password manager remembers, but by appending it with this four-digit code,
even the password manager doesn't know the whole password. Right. So it's this balance of them
having something that's easy to remember.
They only need to remember a short combination of characters.
But it makes the password manager that much safer.
Yeah, it does.
I'll preface this by saying it doesn't make it less secure.
A lot of times when I hear people say, I have this security idea, a lot of times what they're
doing is they're actually decreasing the level of security.
Well, if you're using random 20-character passwords or so, you know, whatever,
around just completely garbage string of characters as your password, that's already secure.
And if your concern is that you're going to have a piece of malware exfiltrate your password database
and that falls into someone else's hands,
then this could be a hedge against that. Absolutely. I think it's a good idea. It doesn't
hurt to do it. So do you think that's sufficient? Is it overall you're on board with this one?
Well, I am on board with this one. I would recommend, however, that you are flexible with
being able to change that pin over time. Because if some site that you're – if you're a specific target,
and that's really what you're worrying about at this point in time,
somebody gets one of your passwords, they're going to see –
let's say they get your password from a breached site
that didn't encrypt your password at all.
It just stored it in plain text.
Well, they're going to see the four-digit code at the end of your password.
Right.
And if they also have your password library, your password manager and access to that,
then they're going to quickly be able to associate that, so be able to change that.
That is a very far-fetched scenario, though.
Somebody getting access to a database and access to your password manager.
Those two things are probably not very likely
to happen. So I still think this is a good idea. All right, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.