CyberWire Daily - Patch that password manager. The hidden hand of the troll farm. Election meddling. Coin-mining’s costs, and a crackdown in China. If you really loved me, you’d speculate in Dogecoin....or something.
Episode Date: September 17, 2021Patch your Zoho software now--vulnerable instances are being actively exploited. Maximum engagement isn’t necessarily good engagement: the hidden hand of the trolls replaces the invisible hand of th...e marketplace of ideas. Politics ain’t beanbag, Russian edition. An indictment emerges from the US investigation into possible misconduct during the 2016 elections. The costs of coin-mining. Josh Ray from Accenture on protecting critical infrastructure. Our guest is Tony Pepper from Egress with a look at Insider Data Breaches. And don’t mix investment advice with matters of the heart. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/180 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Patch your Zoho software now.
Vulnerable instances are being actively exploited.
Maximum engagement isn't necessarily good engagement.
The hidden hand of the trolls replaces the invisible hand of the marketplace of ideas.
Politics ain't beanbag, Russian edition.
An indictment emerges from the U.S. investigation into possible misconduct during the 2016 elections.
The costs of coin mining.
Josh Ray from Accenture on protecting critical infrastructure.
Our guest is Tony Pepper from Egress with a look at insider data breaches.
And no matter how lonely you might get, don't mix investment advice with matters of the heart.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, September 17th, 2021. The U.S. Cybersecurity and Infrastructure Security Agency has issued with the FBI and the Coast Guard a joint advisory warning that CVE-2021-4539, a vulnerability in Zoho's password manager and single sign-on solution,
ManageEngine AD Self Service Plus, is being actively exploited in the wild.
Zoho fixed the bug on September 6th, and CISA urges users to apply the patch as soon as possible.
The software is of concern to CISA because it's used by critical infrastructure companies,
U.S. cleared defense contractors, and academic institutions.
Some of the active exploitation may be the work of nation-state espionage services.
MIT Technology Review reports that Facebook's engagement maximization algorithms
automatically pushed inflammatory, often false, troll-farmed
content into American users' news feeds during the 2020 election season, reaching as many as
140 million individuals per month. An internal Facebook study concluded, quote,
Instead of users choosing to receive content from these actors, it is our platform that is choosing to give these troll farms an enormous reach.
End quote.
The social network did seek to put guardrails in place
to keep content from veering too far from some approximation of truth and normality,
and it continued its work against coordinated inauthenticity,
but its own algorithms were stacked against its better
intentions. Russia is preparing for its own elections. While such gestures in the direction
of democratic process have a whiff of kabuki about them, they can't be treated entirely with contempt.
And even under the worst periods of communist power, state policy and leadership
were often decently covered with the fig leaf of something more or less resembling elections.
The current oligarchic regime is organized in such a fashion that elections have been given
a certain indeterminate weight, but that doesn't mean the government is any more content to leave the outcome to chance than was, say, Alderman Fast-Eddie Verdoliak in Chicago's 10th Ward back in the 70s.
United Russia, that's President Putin's party, has resorted to such familiar Ward-Healer-style tactics as bussing supporters to the polls,
no word on whether they've shown up with the equivalent of Thanksgiving turkeys as an inducement to continued support, but if they're talking to
people in Chicago, the idea would have certainly occurred to them. The Atlantic Council and foreign
policy both have overviews of some of the more creative get-out-the-vote tactics. Here's one.
Run some guys who look like the guy you want not to win.
And so, Vladimir Vladimirovich, vote early and often. You can't be too sure. After all,
Fast Eddie's candidate for mayor lost the Democratic primary in an upset back in 1979.
Don't just vote for the bald guy with the scruffy beard. Vote for the right bald guy
with the scruffy beard. There for the right bald guy with the scruffy beard.
There's one then more dude answering that description.
Talk of Russian election influence inevitably brings one's mind
to the most recent U.S. presidential elections,
those of 2016 and 2020.
An indictment was filed yesterday involving activities in 2016.
Special Counsel John Durham, tasked with investigating potential FBI misconduct during the election,
has secured the indictment of Michael Sussman, a former federal prosecutor then working at the Democratic Party-connected law firm Perkins Coie,
who represented the FBI with information alleging connections between then-candidate Trump
and a Russian bank, Alfa Bank. The charges of lying to the FBI when he, quote, stated falsely
that he was not acting on behalf of any client, end quote, which led the Bureau to understand that,
quote, was conveying the allegations as a good citizen and not as an advocate for any client. End quote.
The indictment alleges that Mr. Sussman was billing the time he spent on researching the matter to the Clinton campaign.
He now faces one federal charge of making a false statement.
If you were considering setting up an illegal cryptocurrency mining rig somewhere in China,
not that you would, but just suppose,
you might want to think twice.
Bloomberg writes that Chinese police are increasing their enforcement of laws
against illicit altcoin mining,
which is producing a noticeable drain on the country's electrical power.
Many cryptocurrency miners evaded the law
by representing themselves as data researchers or storage facilities.
Chinese coin miners have recently held 46% of the global hash rate.
People freelancing Bitcoin mining rigs have been a problem in China for some time,
and mining Bitcoin and other cryptocurrencies can be surprisingly profitable,
despite gobbling up electrical power. There was,
for example, the principal of Puman Middle School out in Hunan province who was fired back in 2018
when he was found to have set up a big coining rig in a dormitory. He moved it there from his
home because he was dismayed by how big his electric bill had gotten, so he was mining away on the school's dime.
School officials noticed something fishy about slow network performance at the middle school,
and they also saw the school's own power bills going up. At first, they put it down to heavy
use of the air conditioning, but then found out that, what the hey, someone was mining Ethereum up there behind the acoustic
tiles in the drop ceiling, or wherever it was they had the rig cached. Exit the principal.
The assistant principal was also involved, but he got off with just a warning.
Insofar as simple energy consumption is concerned, the most reliable estimates,
like one by the Cambridge Center for Alternative Finance, put the annual electrical budget of Bitcoin at about 110 terawatt hours,
which is about what it takes to keep the lights on for a year in Malaysia, say, or Sweden. We've
found no comparable estimates for Ether, Dogecoin, and the rest, but anywho, however you reckon it, it's not negligible,
and so the Chinese authorities aren't necessarily blowing smoke about this being a problem.
There are other costs to coin mining that impose externalities on the rest of us.
The Guardian, citing a study in Resources Conservation and Recycling, puts the average
lifespan of crypto mining hardware at just 1.29
years, and that the researchers estimate that the whole Bitcoin network currently cycles through
30.7 metric kilotons of equipment per year. This number is comparable to the amount of small IT
and telecommunication equipment waste produced by a country like the Netherlands.
While the Netherlands is a fairly neat and tidy place, that's still a lot of waste.
And finally, let's not overlook the toll in Hope's disappointed and unrequited love, either.
The U.S. Federal Bureau of Investigation, experts in their own button-down way in affairs of the heart, have issued a warning that Altcoin has found its way into romance scams. It all starts in the familiar way. An online
contact progresses to an online friendship and then to an online romance. Once the mark is
sufficiently starry-eyed, the scammer offers them an exclusive investment opportunity in cryptocurrency.
starry-eyed, the scammer offers them an exclusive investment opportunity in cryptocurrency.
The victim makes a small investment, makes a small profit, and is even able to make a withdrawal.
And then, of course, the victim is primed to trust Honey with even more money.
What follows can be easily predicted. So advice to the lovelorn, if they really loved you, they wouldn't offer investment tips.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Tony Pepper is CEO and co-founder of Egress Software Technologies,
where they recently surveyed 500 IT leaders and 3,000 employees in the US and UK to put together their 2021 Insider Data Breach Survey.
I checked in with Tony Pepper for some highlights.
It really falls into three categories. So the first category is people getting hacked. So the
first category is I am effectively tricked by a malicious external actor that's trying to make
me do stuff that I don't believe is actually the right thing to do. Or maybe I'm communicating
with someone I believe is trusted. So a classic phishing email would fall into that category.
And that probably represents 73% of the incidents of insider that we surveyed. But I think you
quite rightly picked up that human error is another one of those categories. I think everyone
can appreciate we've all made mistakes in
our lives and in particular when using tools like email and in particular stuff like Outlook
autocomplete where it kind of prompts us and and almost double guesses who we're trying to speak
to it's actually very very easy just to make a a really easy error and and send information to the
wrong person accidentally and and again, that was the top
cause of insider breach on the survey. 84% of IT leaders said that they'd had a serious breach
caused by human error. But there actually is a third category. And that category is data
exfiltration. So that kind of falls under the banner of people breaking the rules. And these
are people that maybe are either breaking them recklessly. So I'm sending information to a web
mail account because I'd like to print off a document at home, or they are maliciously taking
data and they are sending it to a personal account to take that information with them when they go to that next
role. So they're the core categories that fit out inside a risk. What are your recommendations here
based on the information you've gathered? I mean, how do we strike that balance between,
you know, allowing folks to do the work they need to do, but also keeping a good eye on things to
maintain your security?
You know, I think the recommendations are that the reality is, I think there's too much
demonization within technology in the broader cybersecurity industry that it's people's fault.
I think it's the responsibility of every organization on the planet to ultimately
provide tools to help their employees do the right thing.
Now, naturally, those tools will also catch those more malicious insiders who may be knowingly doing
the wrong thing. But actually, by and large, many of the insider breaches that we've seen that's
covered in the survey are actually well-intentioned employees that are just purely either tricked externally or making a genuine mistake so
that relies on education and I think there's a huge amount of work going on in the industry about
helping people understand where the threats might come from but it's also technology you know I think
it's it's investing in technology that can offer guide rails to their employees to enable them to ultimately avoid
making genuine mistakes or avoid being tricked by someone that's pretending that someone that
they think it is. So I think it's a combination of education and technology to try and get in
front of this issue. That's Tony Pepper from egress software technologies. There's a lot more to this
conversation. If you want to hear the full interview, head on over to cyber wire pro
and sign up for interview selects, where you'll get access to this and many more extended interviews.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And I'm pleased to be joined once again by Josh Ray.
He is Managing Director and Global Cyber Defense Lead at Accenture Security.
Josh, it is always great to have you back.
I wanted to touch base with you because I know that recently you were one of the keynote speakers at the EDGE 2021 conference.
And you've got some interesting stuff you wanted to share with us today about that experience.
What can you describe for us?
Dave, it was fantastic. And thanks for having me back on the show.
To actually be in person, to kind of create those relationships and reinforce those, reestablishing existing relationships was just so important, I think, and something that I think we all have missed. And it's key to solidifying that trust when you talk about trying to
continuously drive innovation and move towards that collective mission success.
One of the things that was actually really, I think, impactful or a lot of the things that
we talked about were creating those meaningful relationships between public and private sector
creating those meaningful relationships between public and private sector in a way to create and achieve this notion of collective defense, right? So, you know, what are those desired outcomes for
both parties? What are some of the challenges and best ways to establish that trust? One of the
things that, you know, Sean Kaufman actually pointed out, and all of these guys have had,
you know, whether it's Adam Lee from Dominion power or brian harrell from avangrid and sean kaufman from discover they've all kind of seen both sides
of the coin public and private sector and sean pointed out um and i'm paraphrasing here but
when you're talking about sharing information with the public sector can sharing too much
information put an organization like his and this notion of kind of regulatory purgatory.
But he kind of went on to speak about, you know, had colonial, for instance, been a physical attack or any of these, you know, ransomware or nation state attacks been physical in nature.
We would have seen the full strength of the federal government kind of being brought to bear.
strength of the federal government kind of being brought to bear.
And he fights this fight, and so many of my clients fight this fight on a day-to-day basis, investing tremendous
amount of resources and money to defend shareholder value,
intellectual property, everything that you can think of there.
And it's needed. But one of the things that Sean really kind of pointed out was
that we also need that same level of deterrence from a cyber standpoint that really only the federal government can bring
to bear if we really hope to level the playing field against some of our cyber adversaries.
Is there an ongoing sense of, I don't know, fuzziness as to who's responsible for what
when it comes to this stuff? You know, How much of this responsibility falls on the private sector?
How much should the public sector, even the military, take responsibility for?
Yeah, we talked a little bit about roles and responsibilities
and spoke quite a bit about kind of moving past really this compliance-based security model
and much more towards this risk and intelligence-based
resilient security approach.
I think when you're talking about who has responsibility in that world,
it's really on the organizations to pull themselves up by their bootstraps.
One of the things that Adam Lee kind of pointed out, and I think really articulated
well, is that this notion of compliance is not security.
It's a baseline, right?
But organizations really need to kind of get to be nimble in order to secure your business
against a variety of the types of adversaries that most of my clients face, especially Adam.
that most of my clients face, especially Adam,
they really need to be nimble and be able to kind of approach this
through the lens of risk and not purely compliance.
Because if you're just looking at it
from a compliance checkbox,
you're not going to account for all of those
variety of different types of risks you're going to face.
And your program is not going to be nimble enough
to really protect that
shareholder value. You mentioned trust, and I'm curious what the opinions were of your fellow
folks there on the panel at the conference when it comes to the future of that, establishing that
trust in more than just lip service between the private and public sectors.
that trust in a more than just lip service between the private and public sectors.
Dave, what we saw really with the attendees and each one of them having kind of that dual-hatted public and private sector experience, and I've experienced it myself, is those relationships
are best created when you've kind of been there and done that, right? And what I mean by that is you have to be able to understand that this is a shared success model and each one of the, you know,
whether it's public or private sector needs to be able to feel like they're getting something out
of that relationship. And the mission has to operate at that speed of trust, right? So you
can't, there's really no room for kind of ambiguity or distrust when you're trying to be, you know, operational or respond to a variety of different types of threats.
So, you know, a great example was, you know, Brian Harrell in his CISA role worked very closely with Adam when, you know, in his current Dominion role.
And that trust has now transferred over to Brian's current role at Avangrid.
And you see that there's a much tighter collaboration
between those two organizations
as they kind of have that, again,
that shared success model.
But when you have leaks that get out
when organizations share information
with the public sector,
I mean, these are all things
that continuously erode trust
or when public or private organizations don't protect information that's been given to
them. You know, these are all things that kind of degrade that ability to, you know, to have that
collective defense and that shared trust model. Yeah, it's interesting. I mean, it really swings
back around to what you're saying at the outset, which is the importance of being able to get together face-to-face and
actually talk about these things. Absolutely. And, you know, I loved one of the quotes that,
you know, that Brian had is, you know, let's protect pencils like pencils and diamonds like
diamonds, right? And it really speaks to the fact that, you know, we need to be thinking about
what's on the horizon and what's next.
And those are, that's difficult to do in a virtual session, right? So, and he was right on the money when he talked about allocating the right level of resources to kind of think about kind of, you
know, what's coming next? What's that emerging threat? You know, employing people and expending
those resources that folks that really are thinking about all the different avenues of
attack into your organization and thinking much bigger than kind of just being consumed
with the monster at the moment.
And getting out of your day-to-day, getting to a conference or getting to kind of information
sharing groups, even if they're local, is just a great way to kind of extend your ability to have
influence in the community, create those relationships, and really, I think, make a big
difference in our collective ability to defend ourselves against threats that are just going to
continuously evolve and become much more capable in nature. All right. Well, Josh Ray, thanks for
joining us. Well, Josh Ray, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Be sure to tune in to this weekend's Research Saturday
in my conversation with Jake Valletta from Mandiant and FireEye.
We're discussing the vulnerabilities found in IoT devices
that use ThruTech Calais networks.
That's Research Saturday. Check it out.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karpf, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.