CyberWire Daily - More from WikiLeaks' Vault7. Cyber ops and national policy. NotPetya's costs. Clouds of misconfiguration. Chasing innovation. AlphaBay takedown. Phishbait.
Episode Date: July 14, 2017In today's podcast, we hear that WikiLeaks dumps another alleged CIA cyber manual from Vault7. Cyberwar is the continuation of war (and therefore policy) by other means. Counting the cost of NotPety...a. AWS S3 misconfigurations could happen to the best of us (but need not). Chasing innovation in the UK and the US. AlphaBay taken down in international police operation. Rick Howard from Palo Alto Networks on their new initiative with the Girl Scouts for cyber security merit badges. Raj Samani, chief scientist from McAfee, on NotPetya. And what kind of bait is best for phishing? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
WikiLeaks dumps another alleged CIA cyber manual from Vault 7.
Cyber war is the continuation of war, and therefore policy, by other means.
Counting the cost of NotPetya,
AWS S3 misconfigurations could happen to the best of us,
but need not.
Chasing innovation in the UK and the US,
Alphabase taken down in an international police operation,
and what kind of bait is best for fishing.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, July 14, 2017.
WikiLeaks yesterday released a manual for HiRise, also known as TideCheck, allegedly
a CIA app that enabled interception of SMS text messages in earlier versions of Android.
The Vault 7 leak is dated December 2013.
It purports to describe a tool effective against Android versions 4.0 through 4.3, that's Ice
Cream Sandwich and Jelly Bean.
It's worth noting that HiRISE wasn't designed to be installed remotely, but required physical
interaction with a device on which it was to be placed.
This suggests, as Bleeping Computer observes in their coverage of the Vault 7 dump,
that HiRISE may have been more of a tool for providing a secure back-channel of communication for CIA officers or agents in the field.
It's also worth noting again that there's still no publicly available explanation of how WikiLeaks is getting the contents of Vault 7.
The one thing that everyone remembers about Karl von Clausewitz is that the Prussian staff officer and philosopher of war famously said that war is the continuation of politics by other means.
Now that consensus has come to regard NotPetya as almost surely a Russian operation,
observers repeat the conventional Clausewitzian wisdom and discover that cyberattacks track geopolitical interests.
In the case of Russia, those interests often involve fostering chaos and degrading trust,
from which one may infer that Russian cyber operations will cast a wide net,
just the way NotPetya did.
cyber operations will cast a wide net, just the way NotPetya did.
Companies affected by the destructive bogus ransomware campaign are still digging out and assessing the financial damage.
They also have financial consequences.
Paris-based multinational building materials manufacturer Saint-Gobain, one of NotPetya's
prominent victims, probably lost $230 million in sales due to the attack.
That comes to about 1% of the company's first-half sales.
St. Gobain said Monday that it had restored all systems to normal operation before the workweek began Monday.
After the Verizon Nice Systems breach, experts advise Verizon customers to change pins. And of course,
enterprises need to consider their exposure to third-party risks, as it seems the cause of the
data exposure lay in Verizon's vendor, Nice Systems. Experts also advise everyone to pay
more attention to how their AWS S3 buckets are configured. This represents the third significant data breach this year
traceable to AWS S3 misconfigurations by vendors. The earlier incidents were the exposure of
Republican National Committee information by Deep Root Analytics and the exposure of sensitive but
unclassified information from the National Geospatial Agency by Booz Allen Contractors.
All inadvertent misconfigurations, all affecting organizations that weren't noticeably slipshod,
and all apparently too easy to commit.
London-based Bupa, the healthcare firm that disclosed a data breach Wednesday, says it wasn't hacked.
A rogue insider, now fired, exposed the information.
That insider was at the time employed by Bupa,
but companies are advised to keep an eye on departing employees, too.
A study sponsored by OneLogin and released yesterday
found that about half of all former employees retained access to corporate applications
for some time after their departure.
And the password management company notes that, quote,
failure to deprovision employees has caused a data breach at 20% of the
companies represented in the survey, end quote. Governments on both sides of the
Atlantic are looking for ways of fostering innovation and closing their
security skills gap. In the UK, GCHQ has established a cybersecurity accelerator,
the intelligence agency's second such center, and in the US, GCHQ has established a cybersecurity accelerator,
the intelligence agency's second such center,
and in the US, the Defense Department is seeking to streamline acquisition of cybersecurity products in ways that bypass the familiar cumbersome and long lead-time procurement mechanisms.
The US Army, for its part, has introduced an innovative recruiting gimmick,
solve a hacker's problem, to attract
technical experts who may be eligible for direct accession to Cyber Branch.
Alphabay, Silk Road's successor as market leader in the dark web contraband world, now
really is gone.
Its fundamentally criminal clientele feared last week that Alphabay's operators were
absconding with their money.
Not so. It's worse than that.
AlphaBay was taken down in a joint police operation by Canadian, U.S., and Thai authorities.
Its alleged proprietor, Alexander Cazes, is dead, an apparent suicide in a Thai jail.
A sad dead end to a young life. He was only 26.
Finally, a study by social engineering training and security firm KnowBe4 shows that the one
weird trick to getting people to bite on your fish bait is to stay professional.
Sound like you're from HR or IT, and the people who get your emails are less likely to spit the
hook. KnowBe4's look at successful subject lines in phishing emails is a good news, bad news story.
The good news is that people aren't swallowing traditional lurid clickbait
or pleas from royal or ministerial Nigerian widows as much as they once may have.
The bad news is that the fish bait is getting more plausible as it grows more prosaic.
The bad news is that the fish bait is getting more plausible as it grows more prosaic.
The leading lures in Know Before's study were security alerts,
vacation and sick time policy announcements, and package delivery notifications.
The one relatively old-school outlier came in tied at number four,
breaking United Airlines passenger dyes from brain hemorrhage, video,
which suggests some lingering morbid sensibilities in the workplace. Although two baits tied with it, a delivery attempt was made and all employees
update your health care info. They were consistent with the new more business-like fishing style.
So be careful out there.
So be careful out there.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks,
and he also heads up Unit 42, which is their threat intel team. Rick, welcome back. You've got a great story to share with us
today, and this involves the Girl Scouts of America. Absolutely. Thanks for having me on,
David. You and I have talked in the past about the shorties of cybersecurity professionals,
just in general. CSO Magazine said this year that worldwide, okay, there is a million unfilled jobs.
And when you consider women in the network defender community,
Forbes said last year that they make up only 11% of the cybersecurity workforce.
And if you add a minority to that checklist, say a black woman or a Hispanic woman,
that number drops to under 1%.
Yeah, I know.
It's just amazing, right?
And the network defender community,
you know, we have been talking about this for a number of years and hope to fill the gap. But
it's clear to all of us that in order to fix it, we're going to have to hire a bucket load
more women and minorities if we're going to have any chance of closing the gap. Right. So the
problem, though, is that many women and minorities lose interest in STEM stuff. You know, that's, I always
have to look up the acronym, but it's science, technology, engineering, and math. They lose,
they seem to lose interest before they get to college. And there's lots of reasons for this,
and they've been well documented. There's a male-dominated culture that turns women off.
There's popular culture that pushes women into, I'm quoting here,
traditional women's roles. Minorities don't have access to strong STEM education. There's a bunch
of others. Okay, well, we're tired of just, you know, listing what the problem is. And we at
Palo Alto Networks decided to do something about it. So we've invested in partnered with the Girl
Scouts to build a cybersecurity training program for the 1.8 million Girl Scouts in the world today.
I think it's fabulous, right?
We're going to build a curriculum for 18 cybersecurity badges intended for grades K through 12 in the Girl Scout program.
The instruction will roughly be divided into two categories, online safety and network
defender education. And we plan to roll the first badges out sometime in the fall of 2018.
And I can't tell you how proud I am that I've worked for a company who supports an idea like
this. Geez, almost 2 million Girl Scouts will receive cybersecurity training throughout their
educational career. They will be nurtured and
trained and coached to not only be experts in the field, but also to believe that they can make a
difference in the field and that they can be leaders in the field and that cybersecurity is
a fantastic place to change the world for the better. This is Palo Alto Networks and the Girl
Scout organization saying that we want women in the network defender community. We value what
they bring to the table and we are willing to help them get there. Yeah, it really is a great effort and
hats off to you for this. And it seems to me like one of the other things that really does is that
it gives them an opportunity to explore this in an environment that they're already comfortable in.
I agree with that totally. You know, and the Girl Scouts are fabulous about their entire education curriculum, not just cybersecurity and the chance, the idea that
we get a chance to kind of hook into their fantastic infrastructure and to kind of inject
cybersecurity into their environment. I mean, that's just a win-win. All right. Rick Howard,
it's good stuff. Thanks again for joining us. Thank you, sir.
Thanks again for joining us.
Thank you. can keep your company safe and compliant. My guest today is Raj Samani.
He's Chief Scientist and McAfee Fellow at McAfee
and also Special Advisor to the European Cybercrime Center.
We began our conversation with a look back at Petya, not Petya.
I think the key thing to recognize is, you know, we've talked about Petya, not Petya, as being a ransomware attack.
The reality is, I think both this campaign and equally WannaCry,
they don't actually follow the same modus operandi that we would expect normal ransomware to take
you can argue that WannaCry may have been a ransomware campaign and there are certainly
indications to suggest that they at least had some mechanism to communicate with victims but
in Petty's example it would appear that this was a campaign designed to cause destruction and in
fact you know looking at the number of files that they encrypt,
it was only 65 file types.
And so it was designed to be spread fast, quickly, and as fast as possible.
And so where are we with all of this?
Well, we know, obviously, that attempts have been made with regards to attribution,
but I don't think we've actually settled on a malicious act yet.
We haven't even settled on a name for Petsia, actually.
So I think we're a little way away, but in terms of trying to determine why they did this,
how they did this, and indeed who it was.
I think the lesson to learn from all of this is that there's a broader acceptance now amongst businesses
that what we do is not an IT issue.
You know, we've seen examples where nuclear plants have had to switch monitoring words to manual.
We've even seen examples where companies have had write downs of quarterly revenue earnings.
And so if anything comes out of this, it has to be a recognition that this is not an IT problem.
This is a business issue. What about the notion that perhaps
Apeche Not Peche was a targeted attack that escaped and went a little farther in the wild
than the people who set it out there had planned for it to? That may well have been the case. And,
you know, I think if we look at the facts that that are presented to us
you know it would suggest and it would appear in terms of the way that the infections occurred
that the the initial target was the ukraine now that's based upon you know the evidence that we
have before us in terms of the fact that the majority of infections came from there but it's
not as simple as that.
You know, I remember the good old days.
And by the good old days, I mean like February or March,
when, you know, when we had like the Shamoon attacks.
And, you know, we did a significant amount of analysis
on the latest iteration of Shamoon.
And, you know, that was great because, you know,
it waved its hand and it says,
hey, we are a targeted campaign.
Most likely nations directly or a single purpose is there to disrupt and wipe the computers only that are owned within Saudi Arabia.
With Petya, not Petya, it kind of appears to be, you know, I'm kind of using terms like like maybe and probably and we think and certainly we think that it was a campaign meant to disrupt
the Ukraine. Of course, the customers of MEDOC were more than just Ukrainian companies. And that's
part of the reason why we saw this. But but also, you know, we have to remember that the propagation
method was was pretty effective. I mean, there were multiple propagation methods associated with
it. So I suspect that it was, you know, it may well have been.
But again, you know, every answer in our industry is a maybe or probably or yeah, it could be or depends.
It seems as though with Petya, not Petya, that this is another example of people sort of bracing themselves,
wondering if this is the big one.
Like it's inevitable that one of these
is going to hit, that's going to be a global pandemic and, you know, is going to cause huge
damage. And then we sort of whistle past the graveyard that, well, we dodged this bullet.
Well, I don't think we did. I mean, you know, you asked the individuals that were impacted,
you asked the shipping companies, you asked the legal firms, you asked the major PR and advertising firms, did they dodge the bullet? No. But, you know, and I think,
Dave, this is probably something that we all kind of feel in this industry. And certainly I feel it
anyway. These last couple of months have just been insane. I mean, you know, we had WannaCry,
we had the Cybellum work, we had all seven disclosures. You know, it appears that we veer
from crisis to crisis to crisis.
One of the reasons why it's becoming such a big issue is because our dependency on technology is almost ubiquitous.
You know, and you saw this when, you know, hospitals were hit by ransomware, whereby the ability to be able to revert back to manual systems, to be able to continue to provide patient care, we've almost moved on from that. The ability to be able to revert back to manual systems
or to be able to not leverage technology,
I think is lost upon us.
And so our dependency on technologies
is almost ubiquitous now.
And it's going to continue as well.
So if I'm a board member and I'm looking at my company
and I'm looking across at companies like Maersk
who got their shipping capabilities affected by Petra.
What should my approach be?
How do I respond to these sorts of things and protect myself?
I guess I could answer the usual answer, which is security and privacy by design and so on and so forth.
But I think it's deeper than that.
Look, I used to be a CISO.
My boss, I think I was there for, I think for four years, I probably met them three times.
The reality is that there's this perception that security is an IT issue.
And so do we have the security team and security department engaged at board level?
The answer is no.
I mean, I spoke at the CSA Summit in London just recently, and I asked a question.
And there were like
quite a lot of senior people there and i said how many of you have spent any time with the ceo
and less than five percent puts their hand up and and the reason is is because there's still
this perception that what we do is an it issue and yet it's not because any firm if you lose
access to your systems if you lose the shop window to what you do, not only do the
day to day business, but also and this is great term that that the Poneman Institute
talk about, which is this thing of the abnormal churn rate, you know, customers will end up
leaving you. And actually, that's going to be between two to 5%. And in fact, that could
be higher. I mean, when talk talk were hit, the reports were they lost 90 plus thousand customers.
And so it's a significant issue.
And I think the board needs to recognize that this is not an IT problem.
It's actually part of business risk and true business risk.
And actually, most firms today are IT companies, whether they like it or not.
And so there has to be that acceptance and recognition, and then hiring the right people, and then enabling them and empowering them to be able to be senior to be able to make those decisions.
That's Raj Samani from McAfee. One of the initiatives he's particularly proud of is the No More Ransom project, which combines the efforts of companies like McAfee, Intel, Amazon, and others, along with international law enforcement,
to help ransomware victims and to bring the bad guys to justice.
You can check that out at nomoreransom.org.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.