CyberWire Daily - North Korea turns to cryptocurrency theft. Equifax breach gets worse. Patch Tuesday. Duma says US election hacked
Episode Date: September 13, 2017In today's podcast, we hear that North Korea's stealing all the Bitcoins it can find. The Equifax breach continues to spread: countries other than the US are increasingly involved. Patch Tuesday note...s. The US Director of National Intelligence addresses the Billington CyberSecurity Summit. Joe Carrigan from JHU on VPN companies collecting private user data. Dr. Richard Ford, Chief Scientist, Forcepoint, on the Equifax breach. And did a Russian lawmaker just cop to the influence ops President Putin has so piously denied? Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, you might find it valuable, too. If you’d like to protect your endpoints against advanced threats, check out Cylance. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea is stealing all the Bitcoins it can find.
The Equifax breach continues to spread.
Countries other than the U.S. are increasingly involved.
We've got some Patch Tuesday notes.
The U.S. Director of National Intelligence addresses the Billington Cybersecurity Summit.
And did a Russian lawmaker just cop to the influence ops President Putin has so piously denied?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, September 13, 2017.
North Korea, hit by international sanctions over its missile and nuclear tests,
and the explicit threats it's been making against many countries,
including but not limited to South Korea, Japan, and the United States,
ramps up its raids on Bitcoin sources.
Japan and the United States, ramps up its raids on Bitcoin sources.
Bitcoin and other cryptocurrencies are attractive means to accumulate and launder cash that sanctions are designed to interdict.
Many of Pyongyang's recent raids have been directed against South Korean Ethereum exchanges.
The Equifax breach is proving a horror show, expanding in slow motion.
We'll hear a little later from Forcepoint's chief scientist, Dr. Richard Ford,
but in the meantime, it's been known since late last week
that the Equifax breach extends to individuals outside the U.S.
The first reports of non-U.S. citizens' data being compromised arrived from Canada and the U.K.
The number of British subjects thought to be affected
is by some estimates as high as 40 million.
It now appears that the breach extends to Latin America,
at the very least to Argentina.
Security firm Hold Security has told Krebs on Security
that it discovered signs of a large Equifax database in Argentina
that's proven as exposed and unencrypted
as the other Equifax databases
hackers hit in the U.S. This may be a case of exposure as opposed to hacking, but whatever
the case may be, it's bad news for Equifax and the consumers whose information the credit bureau
has touched. Early indications suggest Argentina won't be the only Latin America country affected.
suggest Argentina won't be the only Latin America country affected.
The breach has placed authorities and others on heightened fraud alert.
The e-commerce fraud prevention company Fortr told Yahoo Finance that it's seen a 15% spike in fraud attempts over the last two months.
The evidence is circumstantial, but timing suggests to them
that this is connected to the Equifax breach.
Equifax will surely take a major financial hit from the breach and its poorly reviewed response.
The Ponemon Institute has estimated the credit bureau's probable loss in the tens of millions,
but that should be interpreted as a low-end guess.
Earlier today, I spoke with Dr. Richard Ford, chief scientist at Forcepoint,
for his take on the Equifax situation.
So as we record this, it is Wednesday mid-morning here on the East Coast.
What do we know about this Equifax situation from a cybersecurity technical point of view?
Yeah, so that's a great question.
I think technically there's some confusion about exactly which vulnerability
and what happened once the vulnerability was triggered. So I think we are pretty sure it was
Nepenthe Struts vulnerability, which is part of their web services. But what happened after that
is slightly less clear. And so often in these cases, that's what happens quite quickly after
breach. There's a lot of lack of clarity as to exactly what happened
and how the attacker moved from the initial access to the target they wanted.
People are pointing out that Equifax has not done themselves any favors,
that it seems that in every turn they've handled things in perhaps the worst possible way.
Yes. I think I have a lot of sympathy for them in some ways.
When you've sat in one of these
crisis war rooms, you know, it's like blood is coming out of your eyes. There's a lot of panic
that goes on as you try and handle the press, you try and handle your customers, you try and handle
your cybersecurity. So in that respect, you know, I have sympathy with that said, I think it's very
important for companies to have a crisis management team where you have these plans in the event of a breach.
Here's what I'm going to do. Here's the comms plan.
And in fact, I've worked with companies in the past who have actually sort of done those internal war games so that the time they have to do it for real.
It's not the first time they've ever thought about it.
I imagine the folks sitting on the board at Equifax wondering, you know, what the heck happened here?
How could it be this bad and how could we have done this bad a job with our security? If I'm sitting on a board, and I'm trying to ask the right questions to my security team, how can I have assurances that they're actually taking care of business?
from the board level is quite tricky. And I think that's a really fantastic question, by the way.
Boards in general do think about cybersecurity, but there are a few things that can go wrong.
Sometimes the information the board gets is filtered or spun. And so it's difficult for the board to get full visibility. And then the second thing is, I think that boards also face
the same sort of cybersecurity fatigue that you and I face. So we feel like we're on the
hamster wheel of pain, right? We keep pushing forwards. We're sort of running on that treadmill
in place. And so that fatigue can also be quite difficult. So I think it's hard from a number of
ways for the board to look at the cybersecurity risk because it seems omnipresent. And then so
often, you know, you don't have that deep expertise within the board to even know what are the right metrics, what metrics should the board be asking for from their companies to say, hey, you know, what are the right metrics for measuring cyber?
Do you count instance?
Do you count patch rate?
Do you count days of risk?
These things are difficult.
So the lack of metrics, the fatigue, and the lack of expertise can become sort of this perfect storm that makes it very difficult for the board to do their job.
In the bigger picture, I think one of the takeaways is, you know, do we really think that, you know, a social security number and a date of birth and the name is enough to identify me in, you know, 2017?
And the answer is probably not.
probably not. So thinking about how we can evolve standards might be more important because no matter how well folks lock these things down, eventually these kind of breaches are going to
happen. If it's not here, it's there. If it's not the next place, it's the place after. And so
thinking about ways that we can use technology to enhance identity is quite important. Whether this
becomes the inflection point or not, we should be taking a long, hard look at how we do business, how we
establish credit, and how we establish identity, and how we go about protecting that data. So I
think that one of the interesting takeaways, by the way, from this breach is that data is an asset,
but it's also a liability because you can't lose something that you don't have.
Looking at the whole way that we deal with these kind of pieces of data, how we protect them,
and the lenses that we use to sort of look at how data flows throughout our company needs to change.
So we need to do security a little bit differently.
We need to think about how we establish identity for the purposes of things like banking as well.
One of the interesting aspects of this is this is a highlight that we focus too much potentially on threats.
So it's about detecting a threat.
this is a highlight that we focus too much potentially on threats. So it's about detecting a threat. It's about saying, hey, is this packet coming towards me bad? Or hey, is this piece of
software vulnerable? Is it exploitable? Instead, I think what we need to do is to pivot a little bit
and enhance those techniques with techniques that look at how data is accessed. So if you looked at
how that process, whatever process it was that ultimately took that data, it was probably
an anomalous access, right? Processes usually don't access that much data and they don't float it off
off-site. And so refocusing on this sort of what we call the human point, the point of intersection
between data access and data storage, how it's used, how it's accessed, can provide another lens
that's less reactive, which provides
a better way of doing security. It can augment the existing security systems you have. And I
think that's quite an important point in this. Working through a purely threat-centric view of
the world is sort of yesterday's way of protecting our data. And as data becomes increasingly mobile,
especially with the cloud, we have to spend more time thinking about how is that data being
accessed and what is the likely intent behind that access.
That's Dr. Richard Ford from Forcepoint.
Yesterday was Patch Tuesday, and Microsoft swatted 82 security bugs, 25 of them rated critical.
One of them is a.NET vulnerability that's being exploited in the wild, reportedly to spread finfisher spyware. The patches also address the
blue-born vulnerability whose discovery was announced this week by security
firm Armis. Some of our reporters are down at the annual
Billington Cybersecurity Summit in Washington today. The sessions
have been interesting, and they're discerning a theme that's reappearing in several
keynotes and panel discussions, the general erosion of social trust. That includes trust in commerce,
banking, government, politics, even ordinary human interaction online. That general erosion
of trust that cyber attacks bring about may be their most serious and enduring consequence,
going beyond IP theft, losses to fraud, or even infrastructure compromise.
Director of National Intelligence Coats was among those who expressed this at his morning keynote.
The adversary's fundamental goal is usually to destroy trust. That's especially true of the
nation-states and the non-state ideological actors, and even the conventional criminals will take some disruption
as gravy on their theft. And speaking of adversaries and disruption, a prominent
member of the Russian Duma crows about influence operations. Vyankislav Nikonov appeared on a
Sunday political talk show in Russia, Sunday evening, with Vladimir Solovoy. He wanted to
sneer at what he called declining American power.
As Mr. Nikonov put it,
American intelligence missed it when Russian intelligence stole the president of the United States.
Well, President Putin has roundly denied any influence operations,
still less election hacking.
So, for Mr. Nikonov's sake, we hope President Putin isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
I saw an article come by on Ars Technica.
It was about the FTC, a call for the FTC to scrutinize a company called Hotspot Shield.
Right.
And there's some folks who are alleging that they are intercepting traffic. This is a VPN service.
Right. The Center for Democracy and Technology. Yeah. They did a 14 page filing. And basically, they're saying that Hotspot Shield, which is a free VPN service.
Right. Is collecting data and sort of channeling you to advertisers and so forth.
A what kind of VPN service, Dave?
A free.
Free.
So if you don't pay for something on the internet, you are the product.
That is correct.
And that's important for everyone to remember.
Facebook, you are the product.
Facebook isn't the product.
The product is you and all the marketing and advertising that can go to you.
And that's, you know, I have a Facebook account and I'm okay with that.
When you start getting into these VPN services, though,
this is a site that is, or a service rather,
that's purporting to say,
we'll keep your information private.
But they're free,
so they have to monetize this service somehow.
And how they're monetizing it is allegedly, from what this report is saying, is from intercepting HTTP requests and then targeting ads towards the people who are using it.
And there's not necessarily anything wrong with that, if that's what you agree to going in when you sign up for the service.
If you agree to that, that's right.
I use a VPN service that I pay for annually, and it costs me, I think, $35 a year to use the service.
And I don't think that's a very high price for what I get.
I did some research on which VPN service to use, and there are a number of them out there that cost about the same.
And this one was – I mean, I can't plug one being from a university, but this one had pretty good marks
and has demonstrated to me that they're really interested in keeping my information and traffic
secure, especially since at home I'm a Verizon user. And there's been recent changes in FCC
policy that now allow Verizon to do what this VPN service is being accused of doing here,
allow Verizon to do what this VPN service is being accused of doing here. And that's to collect my data and target marketing towards me. Yeah. And that that really does rub me the wrong way,
because here here I am paying Verizon a certain amount of money every month for the for the
Internet and and television service and phone service. And that's somehow not enough. They
need to they need to sell my traffic information. Right. So, yeah, I use a VPN at home and I use one that I pay for
so that my traffic remains my own business.
Yeah, and I think maybe the point here
is that I think when people hear VPN,
they assume that what comes with it
is a certain amount of privacy.
And the point here is...
It depends.
It absolutely depends on what you're engaging in. And like you said at the top,
if it's free, they're making money somehow. They are making money somehow. All right.
Joe Kerrigan, as always, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.