CyberWire Daily - Misconfigured databases, again. Vulnerable subdomains. Dark web search engines. Troll farming. An update on the crypto wars.
Episode Date: March 6, 2020Virgin Media discloses a data exposure incident, another misconfigured database. Microsoft subdomains are reported vulnerable to takeover. A dark web search engine is gaining popularity, and black mar...ket share. Researchers find that Russian disinformation trolls have upped their game. The crypto wars have flared up as the US Senate considers the EARN IT act. Tech companies sign on to voluntary child protection principles. And Huawei talks about backdoors. Thomas Etheridge from Crowdstrike on empowering business leaders to manage cyber risk, guest is Sherri Davidoff on her book, Data Breaches: Crisis and Opportunity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Virgin Media discloses a data exposure incident,
another misconfigured database.
Microsoft subdomains are reported vulnerable to takeover.
A dark web search engine is gaining
popularity and black market share.
Researchers find that Russian
disinformation trolls have upped their game.
The crypto wars have flared up as
the U.S. Senate considers the EARN IT Act.
Tech companies sign on to
voluntary child protection principles.
And Huawei talks about
backdoors.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, March 6, 2020.
Virgin Media has disclosed a data incident
in which some personal information belonging to about 900,000 customers was exposed.
The company says it's taken steps to close the breach, which it attributes to an inadvertently misconfigured marketing database.
The exposed data included what Virgin Media characterizes as limited contact information, that is, names, home addresses, email addresses, and phone numbers. The company says no pay card information was compromised.
The alert service Vulnerability claims that more than 600 Microsoft subdomains are susceptible to takeover.
Forbes notes that while no exploitation has been seen in the wild, a proof of concept is out.
Microsoft says it's working on a fix.
Prompted by last month's U.S. federal indictment of alleged Bitcoin mixer Larry Harmon,
Digital Shadows is tracking a dark web search engine, Kilos, that's gaining black market share.
It comes with an Ask Me Anything page on Reddit,
and the search engine administrator has also introduced a live chat feature to better serve Kilos users.
As Digital Shadows looks at the service's probable future,
that future looks bright in an appropriately dark sort of way.
The researchers write, quote,
Kilos' growing index, new features, and additional services combined could allow Kilos to continue to grow
and position itself as a natural first stop for an increasingly large user base, whether it's to
find and purchase illicit products, search for specific vendors, look for reviews, or stay up
to date on current news and updates on markets and forums. Super Tuesday may have gone off without
much incident, but a recently released study by New York University's Brennan Center for Justice
thinks the U.S. ought not relax its guard.
The researchers concluded that disinformation operations
directed against the 2020 election began last year
and that the operators behind the IRA troll farm have returned
using many of the same accounts.
The study finds that the trolls have gotten better at impersonating candidates and parties
and are prepared to go beyond the simple amplification tactics seen so far.
It will be interesting to see how successful exposure and blocking of such accounts will prove to be.
Facebook, for one, seems to be devoting considerable attention
to identifying and stopping coordinated inauthentic behavior. How Menlo Park and others do against the current versions of the St.
Petersburg troll farms will be worth watching. The crypto wars have returned in a big way,
with the introduction of the EARN IT Act in the U.S. Senate, Wired reports. Nominally,
a measure directed against child exploitation, opponents from an unusually
broad ideological spectrum see it as a roundabout way of subverting encryption. Since no thinking
person is likely to be actually in favor, at least publicly, of child exploitation and abuse,
doing something to protect the children has long been a reliable way of seeking support for a broad
range of policies. It's worth noting that the crypto wars have been seeking support for a broad range of policies.
It's worth noting that the crypto wars have been going on for a long time.
Institutionally, in the U.S., the Justice Department has long provided the paladins of the anti-encryption forces.
During the previous administration, former FBI Director Comey being the public face of what he characterized as responsible encryption within a framework of ordered liberty.
That role now seems occupied by Attorney General Barr.
The U.S. Justice Department also introduced a set of voluntary principles designed to control online child exploitation.
Computing says that Facebook, Google, and a number of other tech firms have signed on.
There are 11 principles in total.
They aim at getting companies to commit to preventing both known and new abuse
from appearing on their services,
to suppress advertising for such material,
to report abusers,
and to craft terms of service in such a manner as to exclude child exploitation.
They'll particularly target live streaming,
and they'll commit to finding better ways of protecting children online.
They'll seek to limit the extent to which search engines throw up exploitative results and of course the companies are asked to commit to cooperation and regular transparent reporting
the document suggests it has ministerial approval in all five of the eyes it will be interesting to
see what the earn it act would do for child safety beyond what
conscientious adoption of the voluntary principles would, possibly more reliable evidence gathering
in criminal cases, but that alone seems unlikely to make EARN IT any friends on the other side of
the crypto wars. And finally, Huawei continues its charm offensive with a too-earnest-to-be-slick
video in its Twitter feed
that offers a sparkling little cadenza on what counts as a backdoor.
Some backdoors, it says, are good, like those used for lawful interception of traffic,
and there's no real cause to be concerned about these
because they're used only by duly constituted authority for narrowly defined purposes.
That, of course, is a conceptual backdoor
big enough to drive a busload of Shenzhen operators through,
so few commentators seem to have been reassured.
Does Huawei have a point about backdoors?
Well, sure, but as so often happens,
the trees in this particular forest have stories
that the forest itself knows not.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Learn more at blackcloak.io.
My guest today is Sherry Davidoff.
Regular CyberWire listeners may recognize her as the protagonist and namesake of Jeremy N. Smith's book, Breaking and Entering,
the extraordinary story of a hacker named Alien.
Sherry Davidoff is CEO of LMG Security, and her latest book is Data Breaches,
Crisis and Opportunity. I have been in cybersecurity for almost 20 years, and when I started off,
I was handling incidents at MIT. I responded to an ad for people who wanted to stay up late and eat pizza and monitor the network. And it has just been amazing to watch the problem evolve, the challenges evolve,
and then the solutions as well. Back when HIPAA first came out when it was first enforced in 2005,
I was tasked with creating the first incident response policies for the children's hospital
in Boston and working with other local hospitals to coordinate. So having watched the laws evolve
and watched the response processes
evolve has been fascinating. And I wanted to take the time to tell those stories, the really
deep and fascinating stories about where data breaches came from and what the human dramas are
behind them. Yeah, the book really has a lot of breadth to it. You cover a lot of ground throughout. One of the things that caught my eye
is this notion that you present that data is the new oil. I found that particularly interesting.
Can you describe to us what are you going for with that? Sure. I wanted to find out where did
data breaches come from? You know, as an author, you want to start from the beginning. What was
the first data breach? And I managed to nail down when the term data breaches came out. And I'll leave that to you
to guess. But even before that, you know, the concept of data breaches had happened. And I
went back to the 80s and I found this giant data breach that had likely a giant data breach that
had happened in the 80s. I managed to get some FBI files on that. So that newly released information is in the book. And that was with a subsidiary of Dun & Bradstreet.
And at the time, Dun & Bradstreet was really exciting.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
About information, they said information is the new oil. And at that same time,
the Exxon Valdez spill happened.
And I think that was very poignant, just the fact that those were happening at the same time.
And these days, you know, we don't as a society really know how to contain information, how to control information. It's like automobile repair shops 50 years ago where they were just tossing oil and gas willy-nilly all over the place.
The same is true with data.
So we're in the early days
of information management still. Well, in addition to all of the really fascinating history that you
lay out here in the book, there's a lot of forward-looking stuff as well. I mean, you're
looking ahead at some of the potential threats for this coming year and beyond. Can we go through
some of those together? What's on your radar as we look to the future?
Well, we're seeing three big threats for the year 2020.
Number one, cloud breaches have been huge.
And that's the last chapter of the book because I felt it was very forward-facing.
Cloud data breaches build on a lot of the supply chain risks that we see.
And Capital One is a great example where there was a simple misconfiguration in Amazon.
And you're seeing our society wrestle with these questions about who is responsible.
Is it the cloud provider?
Is it the customer?
There are certainly tools that cloud providers can give you that make it easier or harder
to secure your data depending on the interface.
And so cloud providers certainly share in that responsibility as well.
As responders, we find it very challenging
to respond to cloud data breaches. There's a lot of ins and outs. And I've laid out a lot of those,
a lot of the best practices in my book about what to do if you have a cloud data breach and what are
best practices. But there's a lot of ethical questions. Cloud providers are not always
forthcoming with the data. Sometimes the data that you want to be able to determine what an attacker got and what they didn't get,
sometimes that's not even there in the cloud. So we're really wrestling with these challenges as
an industry. What other topics are you tracking? Well, we've seen some big changes in ransomware.
Over the past few years, ransomware has become an epidemic. And traditionally,
ransomware has come in, they lock up your files, and they say,
okay, pay us and we'll give you the keys back.
While it is true that if they have access to your files, they might also have stolen them,
a lot of times, they don't actually steal your files.
They don't actually take anything.
They're simply interested in locking up your files and holding you for ransom.
They don't bother exporting information from your systems.
So that is sort of, I guess, a silver lining or some good news for anybody who's a victim
of ransomware.
Because if you pay and if you decrypt your data, there's a good chance that they didn't
actually take anything.
And you can do a forensic investigation to try to rule that out.
What we're seeing now is multiple groups that are engaged in large-scale
ransomware attacks that has shifted to a different type of extortion. So we saw this, for example,
with the city of Pensacola, with the company Southwire. Southwire is a manufacturing company,
and they were being held ransom for $6 million. So they said they weren't going to pay that.
Presumably, they had good backups. Hopefully Hopefully they were able to recover their data. It did cause some outages,
but the criminals, once they understood they weren't going to get their money,
they published their data. They started publishing it online. And this has become their new business
model for the maze group that holds people for ransom, where if you don't pay to unlock your
data,
they will publish it.
So that's what we call exposure extortion.
There are different types of cyber extortion.
If you're being held hostage and you're just trying to recover your data back,
the availability is gone,
that's a situation where you may or may not
want to pay the ransom.
You can wrestle with that question.
But if you're being held hostage
and someone is threatening you and saying,
we're going to release your data unless you pay to keep us quiet, in my mind, an industry best practice, you should never pay that ransom.
Because what is that to stop them from coming back to you in six months and saying, hey, pay us again.
We actually still have your data.
As you were going through and doing the research for the book and you were putting it together,
were there any particular things that surprised you?
Any information that you came upon that really stood out for you as perhaps being different than what you expected it to be?
Absolutely.
Every data breach I dug into had a deep story behind it. And my goal was to boil that down and to learn from it to provide these practical tips for today's responders.
I think every organization needs to have a data breach response plan. boil that down and to learn from it to provide these practical tips for today's responders.
I think every organization needs to have a data breach response plan. So some of the key points that I found are, number one, every crisis is an opportunity. And it's important to remember that
a data breach is a crisis. Back when you and I first started geeking out back in the day,
when someone hacked into a system, that was not considered a
data breach. The term data breach didn't even come out until later. And remember, you still have to
guess when the term data breaches came out. But when I first started at MIT, you know, and Blaster
was coming out, Slammer was coming out, all these big viruses, we just cleaned them off of people's
computers and moved on as soon as we had those back up and running.
And it was only over time that people started to realize, oh, that information could be stolen.
So we used to have, the national government came out with a response framework, the NIST incident response life cycle. And that was really helpful back then. But it's clear that today,
data breaches touch every aspect of your organization. Every single part of an organization can be touched
when Equifax happens, when Capital One happens,
whenever any of these mega breaches happens.
Even small businesses can go out of business
because of a data breach.
So we need to start treating them in different ways.
And that was my big fundamental finding,
that data breaches need to be moved out of the IT department
and treated as a crisis.
And you have to include them in your crisis management planning systems.
Every crisis is an opportunity to learn, to grow, and to change.
That's Sherry Davidoff from LMG Security.
Her book is Data Breaches, Crisis and Opportunity.
And I'm pleased to be joined by Tom Etheridge.
He is the VP of Services at CrowdStrike.
Tom, it's great to have you on the show.
We wanted to touch today on the notion of empowering business leaders to manage their cyber risk.
What can you share with us today?
Thanks, Dave. Great to be back.
One of the things that we talk to our customers and prospects about, as well as C-suite executives that we address from a services
perspective, is the fact that cybersecurity is one of the top five risks that most businesses face.
However, it's one of the least understood from an executive or a board level perspective.
What we see is that most executives and leaders understand what impacts things like, say, the China trade war has on their supply chain.
But understanding the impact of a cyber attack and how that would impact the bottom line for most organizations is very challenging.
Now, is this a situation where this stuff, the folks in the C-suite having come up through business school and through their professional careers,
this isn't something that necessarily they interacted with all that much.
Exactly.
Most executives do not have the foundational knowledge in their tool belt to speak about these types of risks.
about these types of risks.
They understand geopolitics, global trade flows, macroeconomics, but understanding the risk and impact of a cyber event on their organization,
that's not something that's taught in most business schools.
And so for you, what is that process like when you're interacting with these folks?
Are you serving as a translator?
One of the concepts we talk to our clients about is the CIA triad.
Looking at risk from a cyber perspective in terms of confidentiality of information,
the integrity of the organization, and the availability of services and products that
the organization may be taking to market.
Using this lens to better understand
cyber risk is a concept we talk to our execs about all the time. Thinking about what's going on in
the market and let's say ransomware, how does that impact the availability of those products
and services to customers of that organization? Looking at data loss and PII and what that impact would be in
terms of confidentiality. Those are the things that we try to educate execs and board members
on in terms of looking at risk in terms of the confidentiality, integrity, and availability of
services that they offer to their clients.
Teaching executives about the CIA triad, making sure that they have a good foundational understanding,
and provide cyber risk reports broken down by confidentiality, integrity, and availability,
and being able to track security metrics through the CIA triad lens.
Now, are we at the point now where this is a conversation that is welcome from the board members? I mean, the understanding is that this is part of the
day-to-day operations. I think most boards are starting to get on board with the concept that
cyber risk is certainly one of the top five risks that organizations face.
And they are investing in getting educated on the questions that they need to be asking leaders and
the staff that run the business, as well as understanding what questions they need to ask
of themselves in terms of investments and the redirection of assets to support improvements to cybersecurity preparedness and readiness.
All right. Well, Tom Etheridge, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.