CyberWire Daily - Log4j and industrial control systems. Regulators consider the software supply chain. Malsmoke hits an old vulnerability. Social engineering via Google Docs. Call spoofing and robocalls.
Episode Date: January 6, 2022ICS vendors address Log4j vulnerabilities. Regulators and legislators think about addressing issues in the software supply chain. Ransomware gangs were quick to exploit Log4shell. An old, and patched,... Windows vulnerability is being exploited by the Malsmoke gang. Social engineering of Google Docs users is up. Mr. Klyshin pleads not guilty. Robert M. Lee from Dragos makes the case for salary transparency. Our guest is George Gerchow from Sumo Logic with new approaches for the modern threat landscape. And call spoofing is making robocalls moderately more plausible. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/4 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Vendors address Log4J vulnerabilities. Regulators and legislators think about addressing issues in the software supply chain.
Ransomware gangs were quick to exploit Log4Shell.
An old and patched Windows vulnerability is being exploited by the Malsmoke gang.
Social engineering of Google Docs users is up.
Mr. Klyushin pleads not guilty.
Robert M. Lee from Dragos makes the case for salary transparency.
Our guest is George Gurchow from Sumo Logic with new approaches for the modern thread landscape.
And call spoofing is making robocalls moderately more plausible.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, like everyone else, have been examining their products for log4j vulnerabilities,
and they've been finding and fixing some.
Security Week has a useful and interesting summary of the ways in which the companies are working on the problem. The companies who found and disclosed issues include ABB, Honeywell, Phoenix Contact, Rockwell Automation, Schneider
Electric, Siemens, Sierra Wireless, and Wago. Emerson, Johnson Controls, and Moxa are still
investigating, but they've published lists of products they've confirmed are unaffected.
Inductive Automation, VT SCADA, and CopaData have confirmed to their customers that their
products are unaffected.
Most of the issues the companies have been finding are related specifically to log for shell,
but some of the other later and lesser vulnerabilities have also been detected
and are similarly being addressed. Regulators and legislators are looking for ways of preempting
the next widespread vulnerability and for the required responses and incentives for organizations to do better.
U.S. Senator Gary Peters, Democrat of Michigan,
chairman of the Senate Homeland Security and Governmental Affairs Committee,
said yesterday that the Log4J issues show the importance of mandatory reporting requirements.
Defense Daily quotes the senator, I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability or the risk posed to critical infrastructure.
Our federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks, and impose consequences on malicious hackers, end quote.
Media reactions to the U.S. Federal Trade Commission's advisory about companies'
responsibility for fixing Log4J vulnerabilities has focused on the FTC's tough line and the commission's not-so-veiled warnings that businesses would be well advised to get on
with detection, remediation, and disclosure,
lest they get the Equifax treatment.
The Equifax treatment, for any of us who might welcome a reminder,
was a $700 million settlement which it received after what the FTC summarizes as the credit bureau's failure to take reasonable steps to secure its network
led to a data breach in 2017 that affected approximately 147 million people.
The FTC's reference to Equifax in its statement are a clear signal of how the Commission intends to frame any cases of slack,
dilatory response to vulnerabilities that arise in the open-source supply chain.
Ransomware gangs have continued to exploit these vulnerabilities where they can,
and a recent case indicates that you don't have to be either slack or laggard to be a victim.
Bleeping Computer reports that the Vietnamese cryptocurrency trading firm Onus
has declined to pay a $5 million ransom Hoods demanded in a double extortion scheme.
The vulnerability was in
the Cyclos point-of-sale and payment system server Onus used. As an indication of the speed with
which the criminals can move on newly available exploits, Cyclos delivered a patch for its systems
on December 13th, and Onus promptly applied it. That was just four days after Log4Shell was first publicly
disclosed, but by then it was already too late. The hoods had gained access to know-your-customer
databases that contained personal information and hashed passwords.
Turning from Log4J, there's another example of risk arising from failure to patch, but in this case,
it really was dilatory, although it might be cruel to call it slack. Since November, the
Malsmoke gang has been distributing Zloader banking malware via an old Windows flaw Microsoft
patched back in 2013, Checkpoint reports. We said it would be cruel to call failure to patch Slack because
Microsoft made the patch available as an opt-in because of concerns about false positives flagging
legitimate installers. ZDNet spoke to Microsoft about the issue and was told, quote,
We released a security update, CVE-2013-3900, in 2013 to help keep customers protected from End quote. Microsoft, we note in disclosure, is a CyberWire partner. or convincing a victim to run a specially crafted signed PE file.
Microsoft, we note in disclosure, is a CyberWire partner.
Applying the patch should protect users from this latest mouth-smoke campaign.
Security firm Avanon today warned of an increase in criminal exploitation of Google Docs. The attempts, which increased markedly last month,
often proceed by posting comments to a Google Docs. The attempts, which increased markedly last month, often proceed by posting comments to a Google Docs file, which they then send to their intended mark. Comments show only
the display name, not the email address, which makes it easier for the attacker to lull the
victim into viewing and opening the content. Avanon recommends these precautions. Users should
be encouraged to cross-reference
email addresses when they receive Google Docs comments to ensure they're legitimate.
If they're unsure, they should reach out to the legitimate sender and confirm that they
indeed sent the document. It's always a good idea to follow some standard good practices,
like inspecting links and looking for such telltale signs of social engineering as
odd diction and non-standard grammar, and use protection that secures the entire suite,
including file sharing and collaboration apps. Researchers at Talon this morning published an
overview of the RISC's web extensions post for users. Grammar and spelling checkers, password managers,
ad blockers, and other extensions
tend to require extensive permissions,
and those permissions, in turn,
can be abused by malicious versions of the tools.
Vladislav Klyushin, the Russian tech oligarch
who faces charges in the U.S. over alleged trading
on non-public information obtained by hacking, was yesterday denied bail by a U.S. federal magistrate in Boston,
Newsweek reports. Reuters says Mr. Klyushin pleaded not guilty. His attorneys maintain
that the charges are trumped up and that the U.S. wants Mr. Klyushin in custody to extract
what he knows about Russian attempts to interfere with the 2016
U.S. elections. And finally, complaints about robocalls to the U.S. Federal Trade Commission
increased by 25 percent over the past year, Reuters reports. Automation permits the scammers
to operate on a large scale, and more widespread use of spoofing has lent the calls more initial plausibility than
they would otherwise enjoy. So maybe the caller ID looks right, but when you hear that distinctive
bloop, well, you know what you're dealing with.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive
protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Let's do a bit of a thought experiment here.
Imagine an organization with IT and security departments.
Got it? Okay, now let's IT and security departments. Got it?
Okay, now let's combine those two departments.
Still with me?
All right, one more thing.
We're going to put the security folks at the helm and have IT report to them.
Still with me?
George Gershau is chief security officer at Sumo Logic, and his team has adopted this very model.
When I first got started in this industry, security always came up through IT because everything was about availability.
And then you would roll out applications, critical or not, and then bolt security on afterwards.
And I think that model has proven to be broken over the years.
to be broken over the years.
And we've seen an emergence over the last two or so that while availability still matters,
because of course everyone has to be able
to access their services,
that with supply chain attacks, ransomware,
and everything else that's gone on,
security has to seamlessly be embedded
into that availability.
And so it just makes sense now
to have sort of security leading the charge
with designing these applications and how they're rolled out from the very beginning.
How does that play out for you and your team there at Sumo Logic?
Luckily enough, Dave, IT now reports into security at Sumo Logic, which again is part of the trend that we're seeing.
We collaborate from the beginning.
So from the very start, whenever it's a
IT business application or a
SaaS-based productivity app or even
in our AWS infrastructure, we design it,
build it together, and we try to work in as much of an
agile fashion as possible, meaning get out of the way.
How do you approach this from a cultural point of view?
I would imagine there are many organizations who, considering an idea like this, would think to themselves, oh my, we're going to have ourselves a little turf war here.
Bingo.
You kind of just really hit the crux of this whole thing.
Well, it really starts off with security and how we have to change.
So I'll give you two examples. The first one is, I think typically security folks have a background
of being more naysayers, kind of blocking innovation because of the nature of our job,
wanting to make sure that all the I's are dotted and the T's are crossed when trying to do that on
the back end is tough. And so what we have to do now is shift left ourselves and really start adopting more of
a development mentality and start moving faster and embedding security into the culture of
that innovation.
The second example I'll give you is a culture of transparency and self-reporting in a safe
place.
When I first came up, I came up in IT,
just to get that out there. And whenever I saw a security person coming, when security first got
started, I would run because I was like, oh man, I don't want to talk to these people. They're
scary. They're going to get me in trouble. And we really changed that at Sumo Logic and other
places as well, too, to where people can feel safe when they make a mistake, let us know, we'll resolve the issue,
mitigate it from happening moving forward, but then not report it up to their management unless
obviously it's a trend in a repeatable pattern we're seeing. When you do things like that,
it empowers every person to take security seriously and then also just open up those
lines of communication. So it's very much a cultural shift.
Now that you're on the other side of this for a little while, I mean, what are some of the benefits that you all are tracking here? Are there any unexpected
things that have come out of this that have turned out to be net positives?
Massive benefits. Dave, the first one alone is cost reduction. Typically, most organizations have a NOC and a SOC,
a network operations center and a security operations center.
It's never made sense to me because whenever you have an outage,
the SOC gets involved and works with the NOC.
Whenever there's a security incident, the NOC gets involved and works with the SOC.
And so why not combine those two functions, use the same tooling,
use the same single source of truth, and try to drive optimization and efficiencies that way?
So that was the first really big benefit we saw.
The second one was IT folks are really good at security.
And so when you start shifting their mindset to be more security-oriented as they roll out new services, it's just a net net win for the organization
because it's not someone else's responsibility.
It's now theirs as well too.
So there's been a lot of wins
and there will be more as we start moving into 2022.
How do you make the case to the powers that be,
to the C-suite and the board of directors?
That's one of the hardest things to do
because they've always looked at it opposite, right?
You know, availability is everything
and security kind of falls in behind that.
But the news itself does that.
I always say, Dave, that being in security today
is like selling insurance.
You know, like most of the time you're like,
hey, look what happened in the news.
What if, you know, and everything else.
Now it's everywhere.
You know, a CEO's driving in,
they're listening to NPR or whatever,
their station of choices.
And every single day for the first time ever, everywhere. CEOs driving in, they're listening to NPR or whatever their station of choice is.
And every single day for the first time ever, you see ransomware on the cover of the Wall Street
Journal, Forbes, SolarWinds, vulnerability all over the place. So it's naturally starting to
feed into their news mechanisms. And then it really is, again, selling that strategy and saying,
look at what cohesively we can do by combining these two units and baking security seamlessly into all of our IT functionality. That's George Gurchow from Sumo Logic.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back on the show.
You know, I saw on Twitter recently you had a series of tweets where you were sort of outlining some of the policies you have there at Dragos when it comes to pay transparency.
Some unusual things going on there, and I thought interesting insights for our audience.
Can you share what's going on there?
Sure, yeah.
We do a lot of things at Dragos that I think are different than other places. I'm sure there's other places that do them as well, so that's not meant as an insult to anybody. But
we do a lot of things that people scratch their head at first, and it's turned out really well
so far. So we'll adapt if we do it wrong later. But even in the very beginning, when we hired our marketing lead,
and I would say things like,
hey, we're not going to put up a banner
that requires somebody to put in their email.
No, no, Rob, you don't understand.
That's how companies do it.
That's how they get leads and things like that.
You know what, just put it up as optional.
If people want to do it, that's fine.
But I hate that as a practitioner,
so I don't want to force that now
that I'm in the position that I'm in.
We didn't ever do that.
We always did the optional way,
and it did even better for us.
We got higher quality leads and all these things.
Along the way, what I tell my employees is,
we've made a lot of choices that I think
are the right choice in the sense that
we can stand behind it and believe in it.
I don't know that they're the smart choices.
I'm going to answer your question
and walk you through some of the things we've done,
but in full transparency out to other people
running companies and so forth.
There's a lot of pros and cons to these things
and I think it's the right choice.
Some of them explicitly are not the smart choice.
And the one that you picked up on first
is the pay transparency thing.
So we have a career path for every career in the company.
And let's say, on average,
they go from level one to level 10.
And so there's different positions
and I'm structured out what's the roles
and responsibilities for that
and all that kind of good stuff.
And in that career path,
you have full pay transparency.
So if you're a senior incident responder, you know
what the L1 incident responder up to the VP of it makes. It's just fully transparent, so nobody has
to wonder. But you also get to make the right choices for you on, hey, do I want to stick
around and get promoted here? Okay, well, what's it going to be this year? What's it going to be
the next two positions? Okay, well, okay, I can now make an informed choice.
Maybe it's not good enough for me
and I'm going to go somewhere else.
But maybe it is good and I'm going to stay,
which is one of the cons, right?
Like I think a lot of things happen to favor employers
when they should be favoring employees.
And then I think it works out better that way anyways.
But with that pay transparency internal,
we do the exact same thing externally.
So when we have a job description and we post it, we say exactly what the pay is.
And part of the benefit is people can opt in or opt out before that conversation even starts
as it relates to pay. They can make sort of informed choices for themselves and it saves us
time not to get to the offer letter perspective and be
completely misaligned. However, one of the downsides is there are other reasons to go to a company than
just pay, especially a startup that has equity and the equity is fast growing and the equity is worth
a lot more than people ever really understand when you're not part of a startup. And so we can lose
people on the front end that if we were able to get in front of them and explain what they were going to be getting as their full package, they might
actually come on board. I think, again, I'd rather let them opt out. If it's going to be a pay issue,
let them opt out on that. That's fine. Be transparent. If there's icing on top when
you join, then so be it, right? I think that's the better balance. But it also has cons and
our competitors
will go look at exactly what our salaries are and just do like 5K more or 10K more. For me,
I'm excited about that. Great. Again, if our employees can get better options elsewhere,
and it pays just one of the components, but if they can do better elsewhere, good job.
Be excited for them. They're your alumni. I think a lot of employers look at the people on board
and go, oh, they're poaching my people.
Well, they're not your people.
They're your teammates, but that's okay.
They're adults, let them go make their own life choices.
So anyways, we do a lot of these kind of crazy things
where pay transparency fully inside and external
of the company, and there's no negotiations.
We'll say, hey, this position pays 120K.
That's what it pays.
Well, I'd like to negotiate with you at the end.
Nope, started from the beginning and told you it's 120.
We've baselined everything in the market.
We know the 95 percentile of what that is worth.
We're paying at that rate.
And if you want it, that's great.
Otherwise, we're not getting these games.
Another interesting thing we do, as I just ramble on, is if we find that we do need to adjust
because the market has changed, which it has a couple times here during the pandemic. When we
say, oh, well, we need to raise it up. We don't just raise it up for the new people coming in.
We raise it up for everybody in that position. So if we decide, hey, we can't find the principal
instant responder we wanted because we're not paying market today,
then we go and adjust the principal instant responder pay
across the board and then go out to the market
and try to find that person.
So we don't get into this habit of negotiating,
pretending that new people are somehow worth more
than the people you already have on board.
So that's been really cool.
And then the last thing is that we pay everywhere the same.
So a lot of companies, and I don't mean this harshly,
but they take advantage of the fact that based on location,
there's some people around the world
that are used to getting paid less.
If you build out a company arm or buy a local company
or whatever in India, Romania, Ukraine, et cetera,
you can pay a lot less.
And so it helps with margins and all these other things.
And I think that's exploitative to some degree,
and we just don't do it.
So whatever we pay for that position,
we pay the exact same worldwide regardless,
and we just make sure that people get treated fairly.
So because there's a high cost of living in a place like San Francisco or LA or
any of those expensive places, the folks who live in less expensive places, they benefit from
that calibration there, yes? That's correct. So yeah, when we hire engineers as an example,
we know we're competing with the Valley. And so we're paying top-end salaries.
And they're good salaries, including in the San Francisco Bay Area.
But if you're working from, I don't know, where I'm from,
Coleman, Alabama, and the cost of living is nowhere near as close
as San Francisco, you still get the San Francisco-based pay.
So we baselined the salary using the available data sets we have. We constantly
go through this every about six months. And we generally pay at the 95 percentile, so as top
as we can. Sometimes it'll dip down a little, but generally speaking in that kind of range.
And then equity, it's the literal top of the top. And we have programs like boxcar programs, which
nobody even gets done at a board level. Like, we have very, very generous equity plans.
So when we create that listing,
that listing for that position is the same everywhere in the world.
And, yeah, people in various parts of the world benefit greatly from that.
I suppose, too, I mean, this helps with diversity initiatives as well.
I mean, you don't end up with, you know, we see so many times
you'll see a woman
or a person of color say,
hey, I just learned that,
you know, half my team
makes twice as much money
as I do for the same job.
You're getting rid of that
hazard as well, right?
Yeah, absolutely.
So it doesn't solve,
and I know you're not saying that,
but it doesn't solve it
because then you start to work,
look at things like promotion and promotion rates. And't solve it because then you just have to look at things
like promotion and promotion rates.
There's so many things you have to dig into
to try to really be equitable
and make sure that biases don't creep into the organization
and look at who you're hiring and the diversity of that.
But it removes a big barrier for sure.
And there's been numerous diverse candidates
on the way in that have expressed
sincere joy around what we're doing
and how we're doing it.
Because even when you're not being biased or exploitative,
it just removes any doubt.
And so there's nothing you have to worry about.
In other words, you don't have to think about it.
It's like, there it is.
Everyone's getting paid exactly the same,
no questions asked, et cetera.
Then it puts the ownership back on the management team of
let's be thoughtful on how we can be inclusive and promotions
and transparent in how we're doing that and similar. So it doesn't by any
means fix it, but it removes a significant barrier and the
feedback we've gotten so far has been highly positive on that.
All right. Well, interesting insights as always.
Robert M. Lee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.