CyberWire Daily - NSA breach announced today (occurred in 2015, discovered in 2016) may be final nail in Kaspersky Lab's coffin.
Episode Date: October 5, 2017In today's podcast we hear that sensitive NSA files appear to have been obtained by Russian intelligence services, and there are claims Kaspersky software was the gateway to compromise. Las Vegas mas...sacre investigation expands to consider possibility of accomplices. A new password stealer is out in the wild. NFL Players Association data exposed. Justin Harvey from Accenture on insider threats. Guest Joe Coleman, cyber threat intelligence analyst from PepsiCo.The FCC was mostly advised by bots on net neutrality (and bots who haven't benefited from DeepMind's ethics class). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sensitive NSA files appear to have been obtained by Russian intelligence services,
and there are claims Kaspersky's software was the gateway to compromise.
The Las Vegas massacre investigation expands to consider possibility of accomplices.
A new password stealer is out in the wild. The NFL Players Association data is exposed.
The FCC was mostly advised by bots on net neutrality and bots who haven't benefited
from DeepMind's ethics class.
DeepMind's ethics class. I'm Dave Bittner in Washington, D.C. today with your CyberWire summary for Thursday, October 5th, 2017. We are at the Newseum in Washington, D.C. attending the
2017 R-Fun Conference with our partners at Recorded Future. Just a few hours ago, the Wall
Street Journal broke the story of a major security incident at the U.S. National Security Agency.
Russian intelligence services are said to have obtained highly classified material related to both network attack and network defense
from a machine belonging to a contractor on which the sensitive information had been placed.
The most interesting aspect of the story is that the hackers targeted the contractor after, quote,
Remember, the story is just breaking, and so details are likely to be clarified and corrected later.
The breach is said to have occurred in 2015, but wasn't discovered until spring of last year.
Presumably, this means spring of 2016.
To put this on a timeline, NSA would have discovered the problem weeks before the shadow brokers began leaking
what the brokers assert are Equation Group hacking tools.
It's also shortly before the summer 2016 arrest of Hal Martin,
the NSA contract worker who was allegedly found to be hoarding highly classified material
in a shed at his Glen Burnie, Maryland home. The material the shadow brokers have leaked
appear to date to 2013 or so. It's unclear whether this latest revelation is connected
to either the brokers or Mr. Martin's case. The U.S. government a few weeks ago directed
federal agencies to get rid of Kaspersky security products from their networks,
or at the very least demonstrate some very good reason why they should continue to use them.
Administration accounts of the ban, issued by the Department of Homeland Security,
have all concentrated on Kaspersky's requirement under Russian law to cooperate with security, intelligence, and law enforcement agencies, and that indeed would seem to be sufficient
grounds for booting their products from government networks. This latest development would appear to indicate that there
are indeed other grounds for suspicion of Kaspersky Lab and its products. Kaspersky has long maintained
its innocence of nefarious cooperation with the Russian organs. It's possible their products may
have been subverted without their knowledge. It happened to Avast, after all. But few of the initial reactions to this latest story seem to credit that explanation. The news is still fresh and breaking, however, and we'll be following it closely. However it plays out, it's bad news indeed for the U.S. intelligence community, and the National Security Agency in particular.
in particular. Zscaler has discovered a password stealer spreading through a compromised website.
The malware is delivered by VBScript, which after downloading the malicious payload,
downloads a decoy document, terminates Microsoft Word processes, installs the payload through PowerShell, and removes document recovery entries of Microsoft Word. There's a Quaker state angle
to the exploit. The decoy document represents itself
as a public service message from the Pennsylvania Department of Public Welfare. It even helpfully
contains advice on mitigating spam and includes spam mitigation instructions. The malware steals
passwords from Armory Wallet, Chrome, Firefox, Qt FTP, FileZilla, Putty, Electrum Wallet, and WinSCP passwords.
In the U.S., the Department of Homeland Security decries a growing public learned helplessness
over cyberattacks and data breaches. One case of data compromise that has been confirmed occurred
in the U.S. It was discovered by the security firm Chromtech, and like several other recent cases, comes down to an enterprise leaving an unsecured database exposed on the Internet.
In this case, the enterprise in question is the National Football League Players Association.
About 1,200 players and agents had their personal information compromised in an unsecured Elastisearch database.
secured Elastisearch database. As I mentioned at the top of the show, we are on location at the RFund conference in Washington, D.C., hosted by our partners at Recorded Future.
It's been a day full of interesting programs and speakers focused on threat intelligence,
and we had the opportunity to speak with Joe Coleman, cyber threat intelligence analyst at
PepsiCo. The breadth of a company the size of PepsiCo, you have shipping, you have manufacturing,
you have HR, and you must have an eye on all of those things. We have to. There's no room for
error or no room for not being able to see. I'm very well trained in military intelligence. I've
studied this back, forth, sideways. I've been to combat about it. So now
explaining that concept to civilians in a corporate environment, that is challenging.
So one of the things that is perhaps the biggest challenge for veterans such as myself is putting
it into those terms that people can understand, such as instead of we're talking about the enemy combatants
are doing this, we have to look at it from a risk perspective.
What is the risk of this happening?
How can we prevent or mitigate that risk?
You know, those are big questions.
And, you know, that's a big thing for, I'm sure, a lot of folks in DOD and the services
listen to Cyber Wire.
Like, I know they do definitely down at Fort Meade.
So, you know, if you want to, there's a job pro tip for them.
Be able to translate your skills into civilian speak.
You know, that's probably a good big pro tip.
That comes up a lot.
And also the notion of exactly what you touched on of being able to communicate, not in terms
of the threats of being, you know, red, yellow, green, but in terms of particularly what you touched on, of being able to communicate, not in terms of the threats of being red, yellow, green,
but in terms of particularly when you get to the board level of dollars and cents, of risk.
What is the actual risk to the company here in a way that people who are used to talking about risk can understand?
Yes.
It's about having a Rosetta Stone, to put it in context.
Having that Rosetta Stone from being able to translate, say, the military term priority intelligence requirement,
which is basically what is the top risks to my company, you know, label that something else.
Label it risk assessment or possibilities or something along those lines.
That's what we have to be
able to do is have that Rosetta Stone language that, one, we use internally within the intelligence
section or within the fusion center. And then you have to have something to translate that to the
business side. And that's where I think we as Intel analysts right now are not doing a great job at.
We're not explaining that. And I can only speak for my a great job at we're not explaining that and i'm i can
only speak for my own personal experience we're not really doing a good job with that and it's
and it's because we're not really translating that well that they're not seeing the value or
you have some or sometimes you have the issues where you don't want to dilute the term intelligence because if you look at what's going on now, you have intelligence as a cloud, as AI, as whatever it may be.
We want to be able to preserve what intelligence is because it is a discipline.
It's been around for 6,000 plus years.
do a very awesome job of correlation, at least machine correlation, and do a great job of organization, putting things into somewhat of a context. But it's the person with their experience
with repeatable analytical tradecraft, which is something a lot of people go to school or they
have some intuition about, they put that together and they're able to take information into intelligence.
Look at it as a formula.
So information plus analysis equals intelligence.
These are the things that we want to be able to translate to the business.
We're not dealing with mortars and IEDs and all that, but we are dealing with people who
want to take information and commoditize it.
with people who want to take information and commoditize it.
And that's probably the biggest thing that we see a lot just in cyber intelligence,
is let's take something that may seem innocent and seemingly harmless, but when we combine that with other information, we get something that's worth a lot of money.
That's Joe Coleman from PepsiCo.
We'll hear more from him on an upcoming episode of the Recorded Future podcast.
You will no doubt recall that the U.S. Federal Communications Commission
sought public comment on its proposed revisions to net neutrality regulations.
So far, so good, right?
And what better way to get comments than online, right?
Digital democracy that Ross Perot or Arthur C. Clarke would love,
right? Well, not right. Unless we're extending the franchise to AI. Of the 22 million comments
on net neutrality the FCC received, data analytics firm Gravwell says only 17% appear to be genuine.
The other 83%? Bots. Google's DeepMind AI shop is convening a panel of experts in ethics
and various allied fields to help allay fears, voiced by Elon Musk, among lots of others who've
also drunk deeply of the Terminator franchise as well, that artificial intelligence is going to be
the death of us all. The idea is to design in goodness from the get-go so the AI won't turn
out evil. Sort of the way Microsoft's edgy teeny chatbot Tay did. We're in no particular position
to either discount Musk's fears or cry victory for DeepMind's robotic Pelagianism,
but we will watch their deliberations and recommendations with interest.
recommendations with interest.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader
at Accenture.
Justin, welcome back.
You know, we talk about insider threats quite a bit here on the Cyber Wire, and you wanted to make the point that perhaps some businesses aren't giving them the attention they deserve.
Yeah, I think that there's a systemic problem here in the industry,
and the systemic problem is that many organizations are, they're thinking about
the bad guys that exist outside of their network. And what we've seen is a very marked spending
trend to build up the walls even higher on the perimeter. And Dave, you've done a lot of great
work with interviews talking about how that's actually a bad thing to continually
build up the perimeter, that you actually need to build up the perimeter and build layer defenses
so that if attackers do get in, then there's not a soft inside. But it's still, companies are
thinking in terms of bad guys coming from the outside in, and they address insider threat or employees or partners or vendors who already have access within their environment through business processes.
But there is a growing trend of more employees that are downloading toolkits, they're downloading means to circumvent
these controls, the business process controls on the existing systems they have in order to
accomplish a nefarious mission or in order to do something against corporate policy.
And really, one of the better ways to address that sort of behavior
is to formulate a strong insider threat program. You use the term nefarious there, and certainly
there are people who are inside organizations up to no good, but I think you'd agree that a lot of
people just want to get their job done, and if IT says no to them, like you say, they're going to find a way around that.
The risk we see with that, in my mind, Dave, immediately went to shadow IT, the things like
Dropbox not used for corporate purposes or installing their own software that could or
may be against company policy. The pitfall with that approach is that those sorts of technologies have an inherent risk
or risk of data exposure that corporate IT or the corporate security programs may not
know that you're running that.
Therefore, there is the insider, meaning the employee who just wants to get their job done,
who feels like they
need to install a file sharing application like that. If there's a new vulnerability,
or if they perhaps take their laptop home and are using that both for personal and work,
it's very easy for them to be either phished or very easy for them to be exposed so that adversaries could gain a foothold onto their system and then ride,
quote, ride in with them when they go into the main corporate network. So sometimes, like you
had said, insiders may not be malicious. They may not be looking to do something nefarious. And
that's why at Accenture, we consider both insider threat to be direct and indirect, meaning willful and accidental.
Right. So how do you find the balance between putting appropriate restrictions on people but not slowing them down so much that they're going to seek out ways around the restrictions that you put on them? Well, that's the $50,000 question that we
struggle with all the time in cyber defense and cybersecurity. I will say that the advice that I
give to my clients is that really focus on drawing security in as early as possible. And what we've
seen historically is a company wants to, let's say, put out a new app.
They want to put out an app that does that accesses sensitive data, that does various things for their customers.
And in the old days, I mean, five to 10 years ago, heck, probably people are doing this today.
The dev team would get together and build the requirements and they would build it all the way up until they were ready to go to
production. And then the change management process would say, well, do you have security sign off?
And then they would have to go back to security and say, can you please approve this? We have this
business imperative, et cetera, et cetera. The new is, as you've heard a lot, is to use something
called DevOps or an agile approach to development,
very iterative, changing stuff on the fly. And our advice or one of the big pieces of advice
that we give customers is embed security within that DevOps process so that very early on,
you have a security leader or you have a security team member that can be part of those daily scrums, that can be a part of the normal development process.
So when it does get to production and or when they are looking at various means to secure that or to put in the proper business processes to prevent a risky situation, it's already built in or baked into
that development process. All right. Good advice as always. Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Hello, dearest listener. In the thick of the winter season, you may be in need of some
joie de some. Well,
look no further,
honey.
Cause Sunwing's best value vacays has your budget friendly escapes all the
way to five star luxury.
Yes,
you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh,
and yeah,
book by February 16th with your local travel advisor or at
And that's the Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.