CyberWire Daily - No insight yet into Las Vegas gunman's motive as ISIS inspiration generally discounted. Yahoo! breach affected 3, not 1, billion user accounts. Equifax updates.
Episode Date: October 4, 2017In today's podcast, we hear that ISIS claims of responsibility for Las Vegas murders continue to lose plausibility, but the shooter's motives remain a mystery. Yahoo!'s epic breach just got even more... epic. Equifax looks little better in the wake of its CEO's Congressional testimony. A major breach seems to be unfolding in India.  Jonathan Katz from UMD on the importance of random numbers for cryptography. Guest is Dave Mahon from Century Link on the importance of diversity and opportunities for women in cyber security. And does Star Fleet still run Windows XP? Who's responsible for information security on that bridge anyway? Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Delta Risk put together an infographic full of tips for Cyber Security Awareness Month. If you are a woman in cyber security and want make connections with others in the field, check out our own Women in Cyber Security event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS claims of responsibility for Las Vegas murders continue to lose plausibility,
but the shooter's motives remain a mystery.
Yahoo's epic breach
just got even more epic. Equifax looks little better in the wake of its CEO's congressional
testimony. A major breach seems to be unfolding in India. And does Starfleet still run Windows XP?
Who's responsible for information security on that bridge, anyway?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, October 4th, 2017.
The motives of the Las Vegas gunman remain a mystery.
Few credit ISIS claims in its online news service Amok that the shooter was a jihadist soldier.
But the absence of any discernible motive is baffling. Clark County Sheriff Joseph Lombardo did say that they were still looking into the possibility
of some unknown radicalization, but that still appears unlikely.
Yahoo, under its new status as a Verizon unit, has determined and disclosed that all three
billion of its email users were in fact compromised in its already massive,
now more massive than anyone believed, 2013 breach.
Last night's disclosure multiplies the largest breach in history by a factor of three.
Yahoo's current corporate parent Verizon, which closed its acquisition of Yahoo this summer,
disclosed the new figure late yesterday on the basis of
what it characterizes as fresh evidence. Verizon's acquisition of Yahoo had been
delayed by Yahoo's belated disclosure in September and December 2016 of breaches it sustained in 2013
and 2014, and the purchase came at a renegotiated price that knocked some $335 million off the original sticker.
Yahoo's security facts are unlikely to provide much comfort.
They read in part,
Yahoo is providing notice to additional user accounts affected by an August 2013 theft of user data
previously announced by the company in December 2016.
This is not a new security issue.
In 2016, Yahoo previously took
action to protect all user accounts. So there you go. It's a known issue, and anyway, all user
accounts are still protected under previously taken action. So is this latest disclosure much
ado about nothing? A billion here, a billion there. Maybe one person's lost data is a sad inconvenience, one retiree's stolen
pension a tragedy, but a billion users compromised? Isn't that just a statistic?
Well, no, at least according to what we heard from security firm Centrify's Corey Williams.
Does this make the breach three times worse than before? Williams asked, and then answered four
times, yes. Yes, because nearly every online user
in the entire world was impacted. Yes, because an email notification is being sent to an additional
two billion people announcing that Yahoo failed in its responsibility to protect user information.
Yes, because this is another reminder of the black eye on the world's cyber security. Yes,
because it reminds us that Russian intelligence conspired
to protect, direct, facilitate, and pay criminal hackers
to collect information through computer intrusions in the United States and elsewhere.
So, more than a statistic, and yes, it's not good.
Coming on the heels of the Equifax debacle and numerous other data exposures
we're now conditioned to regard as relatively small,
this slow-developing mess has reinforced calls for data security regulation
at least as stringent as GDPR.
It may also prompt stricter liability for corporate officers,
perhaps even for government officials.
We heard from Willie Leichter at security company
Versec Systems. He tells us this news will increase building momentum for breach disclosure
legislation. He told us in an email, quote, this news will add more fuel to the fire for having
legal standards on how quickly breach information is revealed and how much detail is required.
As we've seen in the Equifax
hearings, even conservatives are calling for legislation moving in the direction of the
European GDPR. Speaking of Equifax, the credit bureau's departed CEO Richard Smith's congressional
testimony yesterday mollified few, and it reinforced a picture of poor preparation and
response. He said the breach originated with someone's failure in March
to communicate that Apache struts needed to be patched.
A subsequent scan to identify software needing updates also failed to catch the oversight.
That second scan is being called a failsafe measure, which seems incorrect.
It was a redundant check.
A failsafe system, by way of contrast, would have
shut a system down rather than permit its continued operation in an unsafe mode.
Smith said the failed scan is still under investigation by outside counsel.
Among the unpleasant details that emerged in the hearing is the fact that Equifax hired outside
counsel about a month before it disclosed the breach. They brought King and Spalding in on August 2nd to investigate suspicious activity
on a customer portal that Smith said came to his attention on July 31st. This has led Wired and
others to note that early August was the same period in which Equifax's general counsel approved
sales of the company's stock by three executives,
one of them the CFO.
There is, therefore, this apparent dilemma.
Either the CFO and General Counsel were aware of non-public material information, or they weren't.
If the former, then, as many have said, it looks like illicit insider trading.
If the latter, then who in the world should be involved in incident planning
and response, if not the CFO and the General Counsel? Given all of this, many are surprised
to learn that the U.S. Internal Revenue Service just gave Equifax a $7.25 million contract for
tax fraud prevention work. The contract is a bridge contract to provide taxpayer identity
and validation services
the IRS says are essential until the new contractor, which won the business in July, can take over.
And presumably the T-men can't just do a dark web search for your tax information.
It's not just the U.S. either.
A large data breach affecting some 6,000 businesses and government agencies seems to be unfolding in India.
It's Wednesday. That means it's time to take a quick look at our CyberWire event tracker.
Coming up in Krakow on the 9th and 10th of October, there's an event called Dealing with Cyber Disruption.
That's from CyberSec, the European Cyber Security Forum.
On October 11th in Rockville, Maryland, there's a Cybersecurity Graduate
Programs Information Session sponsored by UMBC. And coming up October 11th and 12th,
it's Cyber Maryland 2017. That's at the Baltimore Convention Center. The 2017 International
Information Sharing Conference is coming up at the end of the month, October 31st and November 1st
in Washington, D.C. The tag for that event is Cybersecurity is a Team Sport. You can find out Thank you. That's taking place October 17th at the Columbus Center here in Baltimore. You can find out more information about that event at thecyberwire.com slash WCS.
One of our presenting sponsors for the event is CenturyLink.
Dave Mann is the chief technology officer there,
and he offers his thoughts on the benefits of attending an event like the 4th Annual Women in Cybersecurity Reception.
You know, it's important to attend these events because people are going to be in the workforce
for a very long period of time.
I think the average person will probably be working anywhere between 30 and 40 years.
You want to pick a profession that is dynamic, that is flexible, that is growing.
And it's these types of events that allow people, particularly young women,
to become exposed to the profession,
I don't want to,
but more importantly to the people in the profession.
And I would encourage young women in particular
that network as much as you can at these type of events.
And when you meet professionals
who are already in the profession i would recommend
that you ask them at least three questions the first one i would suggest you ask is what do you
like most about your profession the second one is what do you like least about your profession
and the third is where do you see this profession in the next five to ten years
that begins to give you information about the industry and seeing if your skills your talent
your capabilities your desires you know align with the profession because you want to be happy you're
going to be working for many many years you want a path that allows for flexibility and growth. And then I would say, as you're coming
out of your academic pursuits, think about what people are looking for in you. We're not just
looking for people with a high GPA or that graduated from a great university or have a technical
certification.
We certainly want people to be technically competent, but when I consider how I think
about people during the job selection process, I'm really looking for behaviors that connect
that person intellectually and emotionally to our organizational purpose.
I'm looking for people who have an authentic interest in the job.
I very much want to see a tenacious intellect in young people.
You're not going to know all the answers.
I know that.
But you have to drive to find the solution.
I definitely want to see a strong work ethic.
Someone who can come in, stay with the project, drive it to conclusion.
Most importantly for me is integrity.
If you have all the other skills and you lack integrity,
then you will not be successful in your profession.
Obviously, we want people to be technically competent.
But there's another thing I look for in people, and that is gratitude.
Are the people who get up every morning, they're respectful and appreciative of where they have found themselves in their lives
and willing to go out there and make a contribution both to the company, to their family, to the community.
You know, they're the types of people that they're looking for.
And as a young woman, when you're at these networking events,
it gives you an opportunity to seek out leaders in the organization that you might have an interest in
and ask them questions and get to know them.
That's Dave Mann from CenturyLink.
Finally,
it appears from internal evidence
on screen in Star Trek Discovery
that Starfleet is still
running Windows, and even that it's
dealing with Stuxnet.
We just hope the holodeck isn't afflicted with
the Blue Born vulnerability because, well,
we don't even want to go there.
The whole holodeck
recreation system is kind of creepy, but mostly awesome. A little creepy, but mostly awesome.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit usforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
We're going to touch on a basic topic today, the subject of random numbers
and the importance of truly random numbers when it comes to cryptography. Well, random numbers turn out to be vital for various
applications in cryptography. And the easiest example of that is just the example of generating
a cryptographic key. When you generate a cryptographic key that you're going to share
with some other party with whom you're going to communicate, you want that key to be random
so that an attacker in particular won't be able to guess it. And the less random your key is, the easier it will be for an attacker to guess
it. And once they guess it, of course, all the security of your encryption or authentication or
what have you is going to be lost. Are there methods for proving that a number or a string
of numbers are truly random? Well, that's interesting. That gets into the question of
what it even means for something to be random, at least for the purposes of cryptography. And the fundamental
measure here is entropy, which relates to exactly how hard it is for an attacker to guess the value
of your random number. And so you want to make sure that any random number you're using for
those purposes is really unguessable to the attacker. There have been some advances in the
last couple of years, actually,
on quantum mechanical methods for generating randomness,
where the device can be proven to output random numbers that are unguessable to within a particular degree.
Now, what about using a number, like an irrational number like pi,
as a source for a random number? Does that get you anywhere?
Yeah, that's kind of interesting. I hear that often. And the problem is that it doesn't really give you the randomness that you need for
cryptography. So there might be some notion of randomness or chaotic behavior in, for example,
the digits of pi, but they're not at all random because the digits of pi are public. So if you're
going to be picking your key based on some consecutive digits of pi, and if an attacker
knows that, then it would be trivial for the attacker to figure out exactly what your key is.
So those kind of numbers would not be suitable for cryptographic purposes.
All right, Jonathan Katz, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.