CyberWire Daily - More stolen alt-coin is returned. Accenture reports minimal effects in the alleged LockBit attack. Home routers attacked. Source code for sale? PrintNightmare exploited in the wild. Extradition cases.
Episode Date: August 12, 2021More stolen coin is returned in the case of the Poly Network cross-chain hack. Accenture says the incident it sustained had no significant effect, and the LockBit ransomware gang who claimed responsib...ility release some relatively anodyne files. Home routers are under attack. Crooks are offering what they claim to be Bkav source code for sale on Raidforums. Magniber weaponizes a PrintNightmare flaw. Dinah Davis from Arctic Wolf shares stats on the state of women in cyber. Our guest is Peter Voss of Aigo.ai on what’s missing in artificial intelligence. Two extradition cases proceed. And the Solarium Commission reports. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/155 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More stolen coin is returned in the case of the Poly Network cross-chain hack.
Accenture says the incident it sustained had no significant effect,
and the LockBit ransomware gang who claimed responsibility released some relatively anodyne files.
Home routers are under attack.
Crooks are offering what they claim to be BCAV source code for sale on raid forums.
MagnaBurr weaponizes a print nightmare flaw.
Dinah Davis from Arctic Wolf shares stats
on the state of women in cyber.
Our guest is Peter Voss of Iago.ai
on what's missing in artificial intelligence.
Two extradition cases proceed
and the Solarium Commission reports.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 12th, 2021. According to Reuters, the hoods who stole somewhere in excess of $600 million from DeFi provider Poly Network have now returned more than half of what they took, about $324 million,
leaving some $268 million still outstanding.
The Block reports that the attacker or attackers created a token saying,
quote, the hacker is ready to surrender, end quote,
and shortly thereafter began returning the coin they'd taken.
Why the criminals are returning their loot is unclear,
but people claiming to be the attackers have begun
saying that they hacked Poly Network to make a point about security, or that they did it for the
lulz, or for some other more or less good reason. Security firm Elliptic, which has been keeping an
eye on this incident, has been tweeting an auto-interview the apparent hackers have been
posting. They ask their own questions,
which they proceed to answer. It will surprise no one that the questions are softballs pitched
to be easily knocked out of the park with a big swing of self-congratulation. He, she,
or they did it, first of all, for fun, because cross-chain hacking is hot.
So if you credit the auto-interview, they did it for the hack value.
One exchange quoted in the Wall Street Journal exhibits a lofty disinterest in wealth,
combined with a didactic urge to educate the victims,
effectively the hackers' students, for their own good.
Says they, I am not very interested in money.
I know it hurts when people are attacked,
but shouldn't they learn something from those hacks? Another post says the attackers would
like to give them tips on how to secure their networks. Reuters suggests a more self-interested
reason may have been in play. The hoods bit off more than they could chew. They may just have found that so much money was simply too
difficult to launder. The BBC quotes expert opinion to the effect that the crook or crooks
have also been spooked by the amount of attention their heist attracted. And the message,
the hacker is ready to surrender, shouldn't be taken too literally. No one has actually shown
up at a police station saying, take me an officer, I'm ready to face the judicial music. The AP quotes Accenture as saying yesterday that it had identified irregular activity in one of our environments
and immediately contained the matter and isolated the affected servers.
The firm didn't say when the incident occurred or identify it as a ransomware attack,
but it did say it had, quote, fully restored our affected systems from backup.
There was no impact on Accenture's operations or on our client's systems, end quote.
Lock-a-bit operators claim to have hit Accenture
and to have obtained some of the company's data in the
course of their attack. The gang threatened to leak the files if they weren't paid, and as their
deadline expired, began doing so. The Record has published a screenshot of some of the files that
have been dumped, but their assessment is that the data they contain don't appear to be particularly
sensitive. Less than a week after disclosure, a vulnerability
in home routers from some 20 different vendors is under widespread attack, ThreatPost reports.
Attackers are adding the affected routers to a Mirai botnet suitable for conducting distributed
denial-of-service operations. Naked Security has a guide on how to determine whether your device
is affected and what to do about it.
A good place to begin is Tenable's list of vulnerable devices.
VNExpress says that an offer of source code for some of BCAV's security products has been posted to RAID forums,
where those who claim to have obtained the code are offering to sell it for $250,000.
BCAV says it's investigating.
CrowdStrike reports that the operators of the MagnaBur ransomware
have weaponized the twice- or thrice-patched print nightmare remote code execution vulnerability
that afflicts Windows systems, and are now using it in the wild,
for the most part against targets in the
Republic of Korea. The record points out that there are two vulnerabilities known colloquially
as print nightmare. The one CrowdStrike is seeing undergoing active exploitation is CVE-2021-34527.
A Canadian government lawyer told the Vancouver court hearing Huawei CFO Meng Wanzhou's extradition case that Meng had committed fraud.
The U.S. is seeking her extradition, and court proceedings are now entering their final phases.
The AP reports that China's sentencing of Canadian entrepreneur Michael Spavor to 11 years in prison for spying, and the imposition
of a death sentence on Canadian Robert Schellenberg, convicted of drug trafficking,
are widely viewed as retaliatory attempts to pressure Canadian authorities into releasing Meng.
In another high-profile extradition case, the Washington Post reports that Britain's High
Court granted the U.S.
broader grounds on which to appeal a lower court's earlier denial of a request to extradite
WikiLeaks proprietor Julian Assange to face espionage charges in the states. That case also
continues. And finally, the U.S. Cybersecurity Solarium Commission has issued its 2021 Annual Report on Implementation.
The report is broadly encouraging.
The commission wrote,
Last year, we concluded that attaining meaningful security in cyberspace requires action across many coordinated fronts.
We have seen a great deal of progress in implementing the original 82 recommendations from
the report, as well as the recommendations we added in white papers along the way.
Some of the recommendations, of course, remain works in progress, including codifying the concept
of systematically important critical infrastructure and establishing a collaborative environment.
These are complex and challenging
goals, the commission says. Some of the recommendations are being addressed in
legislation that remains pending in Congress. The Cyber Diplomacy Act, which has yet to pass
the Senate, would implement the commission's recommendation for a cyber-focused bureau at
the State Department. And some have yet to gather enough support,
specifically the establishment of permanent select committees
on cybersecurity in the House and Senate
and the passage of a national data security and privacy protection law,
which the Commission says are unlikely to move forward in the near future.
But the Commission says it remains hopeful
and that it intends to ensure that
its recommendations are ready when the time comes.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for
security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io. in the category of chatbot skeptical. When I see a chatbot on a website, my tendency is to shut that thing down right away.
Peter Voss is founder, CEO, and chief scientist at IGA.AI,
developers of what they describe
as a second-generation intelligence engine.
He joins us with insights on what AI can bring to chatbots
and why maybe folks like me
need to give chatbots a second chance.
The technology that's typically being used in chatbots today is basically you have some
AI-trained system that will try to make sense of what the person is saying,
and then somebody writes a response to that so it's like a stimulus response the problem
with that approach is that the there isn't really any deep understanding and there isn't any you
know memory or history or learning of of what the conversation is all about so that that's sort of
the the current state of of chatbots that don't have a brain.
And of course, our innovation is that we've added a brain to the chatbot infrastructure
that actually can have deep understanding, remembers what you said earlier,
and so you can have a real conversation.
You know, I have to say that, and maybe this is
just a result of me being in that generation that came up before texting was the thing that it is
today. But, you know, if I see a chatbot on a website that I'm going to visit, generally,
I'm not all that happy about that. I'm skeptical when it comes to the level of interaction I'm
going to get from something like that. Is that a when it comes to the level of interaction I'm going to get
from something like that. Is that a common response that you all have found?
Yes, absolutely. And, you know, we talk to a lot of large corporations, you know, whether it's
banks or retail or insurance or medical, and, you know, they've all implemented these chatbots.
In some cases, they've implemented them and then abandoned them
because of the limitations that I just spoke about.
Now, of course, you also have to understand that a chatbot
can be connected to a live agent.
But you don't know that typically when you see a little, you know,
a window pop up for a chatbot, it doesn't usually tell you whether that's an automated system
or whether you're actually talking, you know, whether somebody, a real human is responding to it.
It also seems to me that for those of you who are offering up these sorts of things that
there's a very limited window of forgiveness
there. You know, like I'm happy to interact with the chatbot, but boy, the minute it gets something
wrong or the minute it causes me frustration, I'm going to bail. Yeah, absolutely. And, you know,
and so you should. So, you know, a customer experience should always be good, you know.
And if it isn't, I mean, either it should, you know,
transfer you to a live person who can handle it
if it's something that's beyond the capabilities of the chatbot.
But in the first instance, it should just be, you know, much better.
It should understand what you're saying.
And, you know, you should be able to have a meaningful conversation and get done what you want to get done.
What about the difference between a chatbot that makes use of AI,
the way that yours does, versus a search window, say, on a website?
Is it a matter of having both things available so that people can
choose the way that they prefer to interact with, say, a website? Oh, yes, absolutely. And, you know,
companies do that. I mean, they do offer search. But, you know, search has the same kind of
limitations, in fact, in a way worse, in that it doesn't remember, for example, you can't really easily tell a search window that you're not interested in a particular product or you've already looked up a certain answer and you're not interested in that.
So even the simplest of chatbots today that are offered, the companies will advertise them as using AI.
So that by itself doesn't really tell you very much.
It might have some pattern matching or whatever it has.
Typically, every vendor will tell you they're using AI.
But the difference is, does it really have a cognitive engine or what we call a brain?
Can it remember what you said earlier on in the conversation?
Does it have deep understanding?
Does it have reasoning?
You know, can it ask for clarification if, you know, you say something ambiguous?
So that's kind of why we talk about a chatbot with a brain.
You know, they all claim to have AI. So does it have a brain? Does it have a cognitive engine? Or does it not have a cognitive
engine? And, you know, is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Dinah Davis. She's the VP of R&D Operations at Arctic Wolf. Dinah, it's always great to have you back.
You know, I know something that is near and dear to your heart is helping women in cybersecurity. And you've recently, you gave a talk recently and you also did a survey recently on this topic. What can you share with us today?
and you also did a survey recently on this topic.
What can you share with us today?
Yeah, I was actually fortunate to give a talk at Halifax B-Sides recently,
and they asked me to do a talk about women in cybersecurity.
And I thought to myself, okay, well, you know,
I can tell my story.
I can tell kind of the things I think we should do
to make it better.
But then again, in the same way
that I created Code Like a Girl,
it's always better when it comes from multiple voices
and different perspectives.
So I thought, well, maybe I should just send out a survey, right?
Maybe I'll get 15, 20 responses and see what people think.
And how did that go?
I actually got over 50 responses.
I was really impressed.
Yeah, I know it's still a small number, but I was pretty happy with that.
Yeah, and what'd you learn?
Yeah, so one thing that I had a hunch on was that cybersecurity wouldn't be their first career.
And so I asked that question very specifically, like, is cybersecurity your first career?
75% said no. And I think I would
love to kind of find out those answers from men as well, because I think a lot of people come into
cybersecurity that way, but it feels to me like this would be maybe even a bit higher than the
men. But I don't have any real data about that, just a gut feeling. But to go down that path, you know, with your gut feeling,
because you're no rookie when it comes to these sorts of things. Do you have a sense or a guess
as to why that might be? Yeah, I think it's just not encouraged. Like it's just not even seen.
So even if we think about like one of the interesting pieces of data that I pulled was
like, how long have you been in cybersecurity, right?
And so how long have these women been in cybersecurity?
And, like, 54% of them had been there for under five years.
And that was also including a number of students that were going through a cybersecurity program that filled this out.
And then you even look at it, only like 18 percent were 15 years plus
and so i think there's been this explosion right so before this explosion of cyber security that
really started i think in about 2017 with wanna cry and not pet ya uh when it became like an
actual you know super visible thing that people started to actually care about. It was this little niche field in computer science that,
you know,
had this like connotation of only like weird guys,
like,
like,
like that,
that maybe don't hold back.
That maybe in another life would have liked to be hackers.
This is the perception. I'm not saying this is the reality. This is the perception.
Right, right.
It's not the reality. I mean, I've been in security since 2001, so I'm putting myself in those buckets.
So are you saying that the perception was to get to cybersecurity, first you had to go through computer science, and that's quite a jungle to make your way through.
Yeah, it absolutely is. And what I think we're seeing because of the need for this is there's people jumping in from all different places. So one of the interesting things I asked them was
like, what did you do before cybersecurity? Right. And a lot of them said IT, but some of my favorite answers here are culinary arts, a chemist, veterinary, hospitality, sales.
These are all things they did before.
And I think I've even listened to some of your career notes where people have come from, there was a lady who came from library sciences.
And I'm like, oh, that makes so much sense.
who came from library sciences.
And I'm like, oh, that makes so much sense, right?
Right.
Because I think this cybersecurity has so many different roles
and you're able to do so many different things,
but there's this perception
that you must be almost as good as a hacker
to work in cybersecurity, which is not true.
Any other interesting tidbits that came out of the survey?
How did you discover cybersecurity
was a question that I asked
and I got some typical answers like job entertainment news. My favorite answer by
far, and it was more than one person answered it, was that they got hacked. They got hacked.
Yeah. Oh, so they got hacked and then they got even.
Oh, so they got hacked and then they got even.
They got hacked and they got interested in it and started to like go down the path of like, well, I want to do this.
Like, I want to stop this from happening to other people.
That was by far my favorite.
Oh, isn't that interesting?
I mean, overall, based on the information that you gathered here, what is your sense? Is there, do you feel as though we're headed in a good direction?
To what degree is progress being made here?
I think we're making a lot of progress, actually.
I think there's more progress in the last five years than we saw in the previous 20.
And so that's, you know, that's a good thing.
I still think there's a long way to go.
My favorite quote these days is one from Ruth Bader Ginsburg. Someone asked her, you know, how many women is enough women on the
Supreme Court? And she said, when there's nine. Because right now or before when there was nine men, no one even questioned it. So for me, when is it enough?
When you have full teams of C-level women running companies
and nobody thinks that's unique.
Right, right.
Yeah, nobody thinks twice about it.
It just is.
Right.
All right.
Well, interesting stuff for sure.
Dinah Davis, thanks for joining us.
No problem. All right. Well, interesting stuff for sure. Dinah Davis, thanks for joining us.
No problem.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.